The global financial services firm Morgan Stanley has agreed to pay one million dollars for its failure to protect approximately 730,000 of its clients' information.
As reported by SecurityWeek, the Securities and Exchange Commission (SEC) said on Wednesday that Morgan Stanley "failed to adopt written policies and procedures reasonably designed to protect customer data," an oversight which allowed an employee of the bank to steal customer data.
The former employee, Galen Marsh, joined Morgan Stanley back in 2008. Three years later, he realised he could exploit a programming flaw that enabled him to run reports on all Morgan Stanley customers.
The Wall Street Journal writes that Marsh ran approximately 6,000 searches on bank customers, about a third of which were unauthorised, through 2014. The former employee then decided to transfer the information of about 730,000 customers through a personal website to a personally owned server, which was ultimately hacked by a third-party.
"Given the dangers and impact of cyber breaches, data security is a critically important aspect of investor protection. We expect SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information," said Andrew Ceresney, director of the SEC Enforcement Division, as quoted by USA Today.
Marsh pleaded guilty to obtaining unauthorised access to a computer. In December of 2015, he was sentenced to 36 months of probation and a $600,000 restitution fine.
The SEC said Morgan Stanley violated Rule 30(a) of Regulation S-P by failing to conduct a recent audit of its authorisation systems, which it claims would "likely have revealed the deficiencies." It went on to say that the bank did not monitor or analyse employee access to portals containing sensitive data.
Morgan Stanley agreed to pay one million dollars in fines to the SEC to settle civil charges brought against it. At this time, the bank has neither admitted or denied the findings of the Securities and Exchange Commission.