Morgan Stanley To Pay SEC Fine Tied To Advisor’s Data Breach

Hillary Clinton isn’t the only one with issues involving cybersecurity on a personal computer server.

Morgan Stanley Smith Barney will pay $1 million to settle charges that it failed to protect customer information related to 730,000 accounts after some of the data was downloaded to a personal server, hacked and offered for sale online.

In an administrative proceeding on Wednesday, the firm agreed to the penalty to settle U.S. Securities and Exchange Commission charges that it violated the “Safeguards Rule” when it failed to adopt policies and procedures to protect private information about approximately 730,000 customer accounts related to around 330,000 client households.

Galen Marsh, an advisor and former employee in Morgan Stanley’s New York office who was also charged by the SEC, allegedly downloaded and transferred confidential client data to his personal server at home between 2011 and 2014.

The data included protected information like full names, phone numbers, street addresses, account numbers, account balances and securities holdings, which Marsh allegedly referred to as “the world’s best cold-calling list,” even telling his superiors at Morgan Stanley that he had been “exploring job opportunities outside the bank.”

That information was stolen in a “likely third-party hack,” according to the SEC, resulting in portions of the client information being posted to the three websites, including the text-sharing site Pastebin, with offers to sell larger quantities of client data.

Previously, Marsh has said that Morgan Stanley told him Russian hackers were “suspected” of taking the information.

Marsh, accepted a five-year bar from the securities industry to settle the SEC’s accusation.

In its initial complaint, the SEC alleged that Morgan Stanley’s policies and procedures were substandard for two internal web portals that allowed employees to access customer records. Specifically, the allegations stated that Morgan Stanley did not have appropriate authorization restrictions to control employee access to customer data based on legitimate business need.

The SEC also claimed that Morgan Stanley failed to audit or test the employee authorization modules, nor did the company monitor employee access and use of the portals.

In a related criminal prosecution, Marsh was sentenced to three years probation and ordered to pay a $600,000 fine for the data breach after pleading guilty last year.

Morgan Stanley agreed to a censure and a $1 million civil penalty without admitting or denying the SEC’s findings.