Morgan Stanley & Co. agreed to pay $60 million to settle a class-action lawsuit claiming a data security breach exposed the personal data of 15 million current and former customers, including credit card and Social Security numbers.
The sensitive information was stored in data centers that had been decommissioned or replaced, and then allegedly were resold without being properly wiped clean.
Because the firm failed to properly dispose of the data, the personal information of Morgan Stanley customers was easily accessible, according to the agreement filed in federal court in Manhattan Friday. A software flaw allegedly left the data on the old servers in an unencrypted form.
Morgan Stanley agreed to the settlement while continuing to deny the allegations.
“We have previously notified all potentially impacted clients regarding these matters, which occurred several years ago, and are pleased to be resolving this related litigation,” a representative said in a statement.
Morgan Stanley allegedly learned of the breach after it was contacted by a man who said he bought used IT equipment from an internet vendor and it came with access to the sensitive customer data, which also included birth dates and investment account information.
If the settlement is approved by the judge, the affected clients will get access to at least two years of fraud insurance services as an automatic benefit, as well as the opportunity to make a claim for up to $10,000 in reimbursement for out-of-pocket losses.
Cybersecurity is becoming a vexing problem for many wealth management firms, which have long been the logical targets for data breaches. For one, they publicly disclose their assets under management, but also hold some of the most sensitive data directly connected to client finances.
The settlement comes on the heels of a similar breach at Morgan Stanley last year. Guidehouse, a vendor that provides account maintenance services to Morgan Stanley’s StockPlan Connect business, suffered an information security incident, according to a July letter the company sent to the New Hampshire Attorney General’s office.
In that incident, attackers exploited a software vulnerability, which was subsequently patched within five days, to obtain files giving them access to clients’ names, addresses, dates of birth and Social Security numbers.
Advisor accused of scheming to move family trust to firm, lawsuit seeks $10 million in damages.
Young Americans are inexperienced in navigating current stormy waters.
Early investor in EV firm says it is in crisis and needs a change of leadership.
Chipmaker's developer conference comes at a pivotal moment.
Three-year program aimed to boost regulatory compliance, culture change.
In an industry of broad solutions, firms like intelliflo prove 'you just need tools that play well together'
Blue Vault Alts Summit highlights the role of liquidity-focused funds in reshaping advisor strategies
