Morgan Stanley has been fined $35m by the US Securities and Exchange Commission (SEC) for “extensive failures” to protect the personal identifying information of 15 million customers over a five-year period.

On multiple occasions, Morgan Stanley hired a moving and storage company that had no experience or expertise in data destruction, and failed to monitor its work. This led to thousands of devices, including servers and hard drives, being sold on to a third party and eventually resold on an online auction site. Those devices contained thousands of pieces of unencrypted data.

While some devices have been recovered, the vast majority have not. Investigations also found that, during a local office and branch decommissioning process, Morgan Stanley discovered that 42 servers potentially containing unencrypted customer information were missing. Decommissioned local devices had been equipped with encryption software, but the firm had failed to activate it.

Gurbir S Grewal, Director of the SEC’s Enforcement Division, described Morgan Stanley’s failings as “astonishing”, adding that “Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected.”

The size of the fine reflects the fact that, in 2016, Morgan Stanly agreed to pay $1m for a similar offence. The same wealth management division – Morgan Stanley Smith Barney – also settled a class action suit over data breaches. That settlement led to the setting up of a $60m compensation fund.

Without admitting or denying its findings, the firm consented to the SEC’s order finding that it violated the Safeguards and Disposal Rules under Regulation S-P and agreed to pay the penalty.