Morgan Stanley agrees to pay $60 million over data breach
Morgan Stanley allegedly learned of the breach when it was contacted by a man who said he had purchased used IT equipment from an internet vendor that came with access to sensitive customer data.
Morgan Stanley & Co. agreed to pay $60 million to settle a class-action lawsuit claiming a data security breach exposed the personal data of 15 million current and former customers, including credit card and Social Security numbers.
The sensitive information was stored in data centers that had been decommissioned or replaced, and then allegedly were resold without being properly wiped clean.
Because the firm failed to properly dispose of the data, the personal information of Morgan Stanley customers was easily accessible, according to the agreement filed in federal court in Manhattan Friday. A software flaw allegedly left the data on the old servers in an unencrypted form.
Morgan Stanley agreed to the settlement while continuing to deny the allegations.
“We have previously notified all potentially impacted clients regarding these matters, which occurred several years ago, and are pleased to be resolving this related litigation,” a representative said in a statement.
Morgan Stanley allegedly learned of the breach after it was contacted by a man who said he bought used IT equipment from an internet vendor and it came with access to the sensitive customer data, which also included birth dates and investment account information.
If the settlement is approved by the judge, the affected clients will get access to at least two years of fraud insurance services as an automatic benefit, as well as the opportunity to make a claim for up to $10,000 in reimbursement for out-of-pocket losses.
Cybersecurity is becoming a vexing problem for many wealth management firms, which have long been the logical targets for data breaches. For one, they publicly disclose their assets under management, but also hold some of the most sensitive data directly connected to client finances.
The settlement comes on the heels of a similar breach at Morgan Stanley last year. Guidehouse, a vendor that provides account maintenance services to Morgan Stanley’s StockPlan Connect business, suffered an information security incident, according to a July letter the company sent to the New Hampshire Attorney General’s office.
In that incident, attackers exploited a software vulnerability, which was subsequently patched within five days, to obtain files giving them access to clients’ names, addresses, dates of birth and Social Security numbers.
Learn more about reprints and licensing for this article.
