Morgan Stanley Smith Barney has agreed to pay a $35 million fine to the Securities and Exchange Commission (SEC) for failing to safeguard personal data on 15 million customers.

The SEC said Morgan Stanley was careless with customer data over five years, starting in 2015.

The problem stemmed from hiring a moving and storage company, with no cybersecurity experience, to decommission hard drives and servers housing encrypted personal data of millions of its customers.

Morgan Stanley failed to monitor the company and, therefore, to detect the mishandling of the data, the SEC said.

During those five years, the moving company sold the hard drives and servers to a third party. The devices eventually made their way to an internet auction site, complete with the customer data.

While Morgan Stanley was able to recover a few of the hard drives and servers, the vast majority are still unaccounted for. Moreover, the SEC said, while the devices had encryption software on them, the software was not activated for years.

“MSSB’s failures in this case are astonishing,” said Gubir Grewal, director of the SEC’s enforcement division, in a statement. “If not properly safeguarded, sensitive information can end up in the wrong hands and have disastrous consequences for investors. Today’s action sends a clear message to financial institutions that they must take seriously their obligation to safeguard such data.”