Morgan Stanley agreed to pay a tremendous of $6.5 million to a coalition of six states for compromising the non-public information of tens of millions of consumers whereas decommissioning computer systems on the monetary providers big, New York’s lawyer basic stated Thursday.

Morgan Stanley as a part of the settlement agreed to undertake provisions “that higher protects the non-public data of its shoppers going ahead,” New York AG Letitia James’ workplace stated.

The settlement comes greater than three years after Morgan Stanley notified the states’ attorneys basic of two incidents involving information safety.

Within the first incident, involving the closure of two firm information facilities in 2016, Morgan Stanley contracted with a vendor to take away information from the computer systems that had been set to be decommissioned, however later realized that the seller subcontracted sure providers to an unauthorized supplier, based on the settlement.

Some computer systems then ended up being auctioned off “whereas nonetheless containing shoppers’ private data, together with information belonging to 1.1 million New Yorkers,” based on James’ workplace.

“In a second incident, Morgan Stanley found throughout a decommissioning course of that 42 servers, all probably containing unencrypted buyer data, had been lacking,” James’ workplace stated in a press release. “Throughout this course of, the corporate realized that the native gadgets being decommissioned might have contained unencrypted information as a result of a producer flaw within the encryption software program.”

An investigation discovered that Morgan Stanley failed to take care of correct controls for distributors and {hardware} stock.

“Had these controls been in place, each information safety occasions may have been prevented,” James’ workplace stated.

James, in a press release, stated, “Nobody ought to have their private data auctioned off with out their data as a result of an organization didn’t take primary steps to erase it earlier than promoting their previous computer systems.”

New York will obtain $1.66 million within the settlement, and the remainder of the tremendous can be break up between the opposite states: Connecticut, Florida, Indiana, New Jersey and Vermont.

A Morgan Stanley spokesperson, in a press release to CNBC, stated, “We now have beforehand notified all probably impacted shoppers relating to these issues, which occurred a number of years in the past, and are happy to have resolved this associated investigation.”

Because the incidents had been found, the corporate has not detected unauthorized entry or misuse of shopper data, and it has made vital adjustments to the way it handles information destruction and distributors.