Morgan Stanley agreed to pay a fine of $6.5 million to a coalition of six states for compromising the personal data of millions of customers while decommissioning computers at the financial services giant, New York's attorney general said Thursday.
Morgan Stanley as part of the settlement agreed to adopt provisions "that better protects the personal information of its consumers going forward," New York AG Letitia James' office said.
The settlement comes more than three years after Morgan Stanley notified the states' attorneys general of two incidents involving data security.
In the first incident, involving the closure of two company data centers in 2016, Morgan Stanley contracted with a vendor to remove data from the computers that were set to be decommissioned, but later learned that the vendor subcontracted certain services to an unauthorized provider, according to the agreement.
Some computers then ended up being auctioned off "while still containing consumers' personal information, including data belonging to 1.1 million New Yorkers," according to James' office.
"In a second incident, Morgan Stanley discovered during a decommissioning process that 42 servers, all potentially containing unencrypted customer information, were missing," James' office said in a statement. "During this process, the company learned that the local devices being decommissioned may have contained unencrypted data due to a manufacturer flaw in the encryption software."
An investigation found that Morgan Stanley failed to maintain proper controls for vendors and hardware inventory.
"Had these controls been in place, both data security events could have been prevented," James' office said.
James, in a statement, said, "No one should have their personal information auctioned off without their knowledge because a company failed to take basic steps to erase it before selling their old computers."
New York will receive $1.66 million in the settlement, and the rest of the fine will be split between the other states: Connecticut, Florida, Indiana, New Jersey and Vermont.
A Morgan Stanley spokesperson, in a statement to CNBC, said, "We have previously notified all potentially impacted clients regarding these matters, which occurred several years ago, and are pleased to have resolved this related investigation."
Since the incidents were discovered, the company has not detected unauthorized access or misuse of client information, and it has made significant changes to how it handles data destruction and vendors.