US investment bank Morgan Stanley will pay USD 1 million for lax protection of customer data after an employee took records on some 730,000 clients, the Securities and exchange Commission announced today.
The SEC said the bank did not adequately limit staff access to confidential customer account data, and that some of the data taken by the former employee eventually was posted for sale on the Internet by a third party.
The SEC said the employee, Galen Marsh, downloaded the confidential records between 2011 and 2014 and transferred them to his home computer server.
Then, according to the agency, “a likely third party” hacked into Marsh’s server to access the data, some of which was then posted for sale online.
When the case first came to light in early 2015, Morgan Stanley said there was no evidence that customers had incurred any financial losses due to the data theft.
Marsh was later convicted for the theft and was sentenced to 36 months of probation and ordered to pay USD 600,000 in restitution.
“Given the dangers and impact of cyber breaches, data security is a critically important aspect of investor protection,” said Andrew Ceresney, director of the SEC Enforcement Division, in a statement.
“We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information,” he said.