The U.S. Securities and Exchange Commission has agreed to settle charges against Morgan Stanley Smith Barney (MSSB) for its “astonishing” failure to protect the personal identifying information of some 15 million customers.
MSSB, now known as Morgan Stanley Wealth Management, is the wealth and asset management division of banking giant Morgan Stanley, which this week agreed to pay $35 million to settle allegations that it failed to properly dispose of hard drives and servers containing its customers’ personal data over a five-year period as far back as 2015.
Morgan Stanley hired a moving and storage company with “no experience or expertise in data destruction services,” according to the SEC and failed to properly monitor the moving company’s work. Some of the hard drives were later found on an internet auction site with customers’ personal data still stored within.
“While MSSB recovered some of the devices, which were shown to contain thousands of pieces of unencrypted customer data, the firm has not recovered the vast majority of the devices,” the SEC said in a statement.
The SEC also alleged that Morgan Stanley lost track of 42 servers that potentially contained unencrypted customer data when it decommissioned local office and branch servers as part of a hardware refresh program. The regulator added that, during this process, MSSB learned that the local devices being decommissioned had been equipped with encryption capability but had failed to activate the encryption software.
“MSSB’s failures in this case are astonishing. Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and MSSB fell woefully short in doing so,” said Gurbir S. Grewal, director of the SEC’s Enforcement Division. “If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors. Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data.”
In a statement given to TechCrunch, Morgan Stanley didn’t admit or deny the findings but said it is “pleased to be resolving this matter.”
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
“We have previously notified applicable clients regarding these matters, which occurred several years ago and have not detected any unauthorized access to, or misuse of, personal client information,” said Susan Siering, a spokesperson for Morgan Stanley.
News of the SEC’s fine comes after Morgan Stanley was caught up in a data breach last year as a result of the Accellion hack. The investment banking firm — no stranger to data breaches — admitted that attackers stole personal information of its customers by hacking into an Accellion server of a third-party vendor, which it uses for file-sharing and transfers.
