- Bank will pay $1 million for failing to safeguard information
- Data taken by ex-employee was hacked, offered for sale online
Morgan Stanley was fined $1 million by the U.S. Securities and Exchange Commission to settle allegations that it failed to protect customer data improperly taken by a former financial adviser.
The bank failed to adopt federally required written policies and procedures to protect customer data, the SEC said in a statement Wednesday. As a result of the failures, from 2011 to 2014, Galen Marsh was able to access confidential information and transfer data on approximately 730,000 accounts to his personal server, which was ultimately hacked by third parties,” the agency said.
In a separate SEC order, Marsh agreed to an industry ban with the right to apply in five years. He was criminally convicted for the breach last year and received 36 months of probation and required to pay $600,000 in restitution.
Marsh conducted about 6,000 unauthorized searches on the bank’s computer system, according to the government. The information he took included client names, addresses, telephone numbers, account numbers, fixed-income investment information and account values. Account information for about 900 clients was found on an external website.
“Morgan Stanley is pleased to settle this matter,” Jim Wiggins, a spokesman, said in an e-mailed statement. The bank “worked quickly to protect affected clients by changing account numbers and offering credit monitoring and identity theft protection services.”