Morgan Stanley & Co. agreed to pay $60 million to settle a class-action lawsuit claiming a data security breach exposed the personal data of 15 million current and former customers, including credit card and Social Security numbers.
The sensitive information was stored in data centers that had been decommissioned or replaced, and then allegedly were resold without being properly wiped clean.
Because the firm failed to properly dispose of the data, the personal information of Morgan Stanley customers was easily accessible, according to the agreement filed in federal court in Manhattan Friday. A software flaw allegedly left the data on the old servers in an unencrypted form.
Morgan Stanley agreed to the settlement while continuing to deny the allegations.
“We have previously notified all potentially impacted clients regarding these matters, which occurred several years ago, and are pleased to be resolving this related litigation,” a representative said in a statement.
Morgan Stanley allegedly learned of the breach after it was contacted by a man who said he bought used IT equipment from an internet vendor and it came with access to the sensitive customer data, which also included birth dates and investment account information.
If the settlement is approved by the judge, the affected clients will get access to at least two years of fraud insurance services as an automatic benefit, as well as the opportunity to make a claim for up to $10,000 in reimbursement for out-of-pocket losses.
Cybersecurity is becoming a vexing problem for many wealth management firms, which have long been the logical targets for data breaches. For one, they publicly disclose their assets under management, but also hold some of the most sensitive data directly connected to client finances.
The settlement comes on the heels of a similar breach at Morgan Stanley last year. Guidehouse, a vendor that provides account maintenance services to Morgan Stanley’s StockPlan Connect business, suffered an information security incident, according to a July letter the company sent to the New Hampshire Attorney General’s office.
In that incident, attackers exploited a software vulnerability, which was subsequently patched within five days, to obtain files giving them access to clients’ names, addresses, dates of birth and Social Security numbers.
Rajesh Markan earlier this year pleaded guilty to one count of criminal fraud related to his sale of fake investments to 10 clients totaling $2.9 million.
From building trust to steering through emotions and responding to client challenges, new advisors need human skills to shape the future of the advice industry.
"The outcome is correct, but it's disappointing that FINRA had ample opportunity to investigate the merits of clients' allegations in these claims, including the testimony in the three investor arbitrations with hearings," Jeff Erez, a plaintiff's attorney representing a large portion of the Stifel clients, said.
Chair also praised the passage of stablecoin legislation this week.
Maridea Wealth Management's deal in Chicago, Illinois is its first after securing a strategic investment in April.
Orion's Tom Wilson on delivering coordinated, high-touch service in a world where returns alone no longer set you apart.
Barely a decade old, registered index-linked annuities have quickly surged in popularity, thanks to their unique blend of protection and growth potential—an appealing option for investors looking to chart a steadier course through today's choppy market waters, says Myles Lambert, Brighthouse Financial.
