U.S. regulators sanctioned Morgan Stanley Smith Barney after finding that the firm’s clients had their personal information exposed when retired hard drives and other devices were auctioned off without first being wiped clean.

The U.S. Securities and Exchange Commission (SEC) charged Morgan Stanley with failing to protect the personal information of approximately 15 million clients over a five-year period by not properly disposing of old electronic devices that contained clients’ data.

The SEC’s order found that, starting in 2015, the firm hired a moving and storage company — which had no experience in data destruction — to decommission thousands of hard drives and servers.

The SEC said its investigation found that the moving company sold thousands of the devices to a third party, and that they eventually ended up on online auction sites with clients’ personal information still intact.

According to the regulator, the issue was uncovered by an IT consultant in Oklahoma who alerted the firm after buying old hard drives online and finding that he had access to the data on those drives.

In that email, the consultant told the firm: “You are a major financial institution and should be following some very stringent guidelines on how to deal with retiring hardware. Or at the very least getting some kind of verification of data destruction from the vendors you sell equipment to,” the SEC’s order said.

Morgan Stanley bought back those devices and has recovered some others, “which were shown to contain thousands of pieces of unencrypted customer data,” the SEC said. But the firm has not recovered the “vast majority” of the devices, it added.

Without admitting or denying the regulator’s findings, Morgan Stanley agreed to settle the SEC’s charges and to pay a US$35 million penalty.

“[Morgan Stanley’s] failures in this case are astonishing,” said Gurbir Grewal, director of the SEC’s enforcement division, in a release.

“Customers entrust their personal information to financial professionals with the understanding and expectation that it will be protected, and [Morgan Stanley] fell woefully short in doing so,” he added. “If not properly safeguarded, this sensitive information can end up in the wrong hands and have disastrous consequences for investors.”