Morgan Stanley will pay a $1 million penalty to settle SEC charges related to data protection failures which saw a former staffer transfer account data to his personal server, which was then hacked.
Financial advisor Galen Marsh was fired last January after downloading "partial account information" - not including passwords or social security numbers - on 730,000 wealth management clients over a three year period.
Hackers appear to have stolen account names and numbers from Marsh's server, briefly posting the details of around 900 clients on the Internet and offering to sell more.
The SEC has issued an order finding that Morgan Stanley "failed to adopt written policies and procedures reasonably designed to protect customer data".
The bank agreed to settle without admitting or denying the findings. Marsh has accepted a five year industry bar on top of a criminal conviction last year, for which he received 36 months of probation and a $600,000 restitution order.