Morgan Stanley to pay $60 million penalty for insufficient oversight of data centers
WASHINGTON – Morgan Stanley MS.N will pay a $60 million penalty after a U.S. banking regulator found the firm lacked proper oversight as it decommissioned two business data centers.
The Office of the Comptroller of the Currency said on Thursday the bank failed to properly monitor an outside vendor as it wound down the centers in 2016, and failed to maintain inventory of customer data. The regulator said the bank had similar vendor management issues in 2019 when decommissioning other network devices.
In July, the bank began notifying some wealth management customers that their personal data might have been compromised, after computer hardware the bank had disposed of was found to still contain some of that information. The bank offered two years of free credit monitoring services to affected customers.
“We have continuously monitored the situation and we do not believe that any of our clients’ information has been accessed or misused,” said a bank spokesperson in a statement. “Moreover, we have instituted enhanced security procedures, including continuous fraud monitoring, and will continue to strengthen the controls that we have in place to protect our clients’ information.”