Negligent data center shutdowns bring $60 million fine for Morgan Stanley

Hardware from the decommissioning of two facilities in 2016 still had some customer data on it by the time it reached recyclers.
(Flickr/Sam Valadi)

Investment bank Morgan Stanley is paying a $60 million fine to the U.S. government for mishandling the decommissioning of two data centers in 2016, and potentially exposing customer information.

The bank reported the problem to wealth management customers this summer, saying that pieces of hardware from the facilities still had some customer data on them after they reached a recycler. In 2019, a similar situation arose during the decommissioning of network devices that stored customer data, according to Office of the Comptroller of the Currency, the Treasury Department agency that announced the fine Thursday.

The case is a reminder that potential data breaches come in many forms beyond the usual concepts of cybercriminals hacking into networks to or using business email compromise to trick employees.

In both cases at Morgan Stanley, the bank “failed to adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance; and failed to maintain appropriate inventory of customer data stored on the decommissioned hardware devices,” the agency said.


Despite the breakdowns in oversight, exposure of any customer data was unlikely because of the way the hardware was configured, Morgan Stanely told brokers earlier this year. In response to the OCC announcement, the bank said it hadn’t seen any unauthorized use of the data.

“We have continuously monitored the situation and we do not believe that any of our clients’ information has been accessed or misused,” Morgan Stanley said in a statement, according to Bloomberg. “Moreover, we have instituted enhanced security procedures, including continuous fraud monitoring, and will continue to strengthen the controls that we have in place to protect our clients’ information.”

Morgan Stanley has to pay the fine directly to the Treasury. The $60 million total is in line with other government fines handed out this year for cybersecurity incidents at financial institutions. The OCC dinged Capital One for $80 million earlier this year for the company’s big 2019 data breach.

Latest Podcasts