The Securities and Exchange Commission (SEC) on Wednesday announced that Morgan Stanley will pay $1 million to resolve charges that it allowed customer information to be hacked and posted online.
According to the SEC, security failures at the bank allowed a then-employee to inappropriately access and transfer customer data from 730,000 accounts to a personal server, which was then hacked by a third party.
The breach was discovered when Morgan Stanley client information began popping up online in late December 2014. It was first discovered on the text-sharing site Pastebin.
Federal securities laws require registered broker-dealers and investment advisers to adopt written policies and procedures reasonably designed to protect customer data.
But the SEC found that Morgan Stanley had two internal web portals that lacked effective authorization mechanisms that would have restricted employees' access to customer data to legitimate business needs.
The former employee, Galen Marsh, denied trying to sell the information or posting it online. He has said he took the data home to study how other advisers approached their customers' investments.
He pleaded guilty to stealing the information and received 36 months of probation and must pay $600,000 in restitution.
Morgan Stanley agreed to settle the charges without admitting or denying the SEC’s findings.