Morgan Stanley Sued Over Lost Equipment Containing Unencrypted Customer Data [UPDATE]
by Erin Shaak
Last Updated on October 23, 2020
Grossman et al. v. Morgan Stanley Smith Barney, LLC
Filed: July 31, 2020 ◆§ 1:20-cv-06012
A class action claims Morgan Stanley failed to safeguard customers’ private data from falling into the hands of unknown third parties when unencrypted computer hardware was lost.
Case Updates
October 8, 2020 – Morgan Stanley Hit with $60M Fine by OCC
Morgan Stanley must pay $60 million to the U.S. Treasury for the unsafe data protection practices at the center of the lawsuits detailed on this page.
The Office of the Comptroller of the Currency (OCC), an independent bureau within the U.S. Treasury, found that the bank “failed to exercise proper oversight” of the decommissioning of two data centers in 2016, which may have allowed customers’ private data to become compromised.
“In connection with the decommissioning, the Bank, among other things, failed to effectively assess or address the risks associated with the decommissioning of its hardware; failed to adequately assess the risk of using third party vendors, including subcontractors; and failed to maintain an appropriate inventory of customer data stored on the devices,” the consent order, filed by the OCC on October 8, reads.
Further, Morgan Stanley failed to exercise due diligence when selecting a third-party vendor to remove the data and also neglected to adequately monitor the vendor’s performance, the OCC stated.
Morgan Stanley, for its part, “neither admits nor denies” the OCC’s findings, according to the order.
The proposed class action lawsuits against the financial giant were consolidated in the Southern District of New York in September.
August 17, 2020 – Morgan Stanley Hit with Another Lawsuit
At least one other lawsuit has been filed against Morgan Stanley over its alleged failure to safeguard the personally identifiable information (PII) of its current and former customers and provide timely notice that their sensitive data had been compromised.
As a result of the two data breaches detailed on this page, Morgan Stanley customers face a lifelong risk of identity theft and fraud, the case out of New York alleges.
“The missing equipment and servers contain everything unauthorized third-parties need to illegally use Morgan Stanley’s current and former customers’ PII to steal their identities and to make fraudulent purchases, among other things,” the complaint reads, adding that affected individuals should be entitled to injunctive and other equitable relief.
The lawsuit looks to represent anyone in the U.S. whose personally identifiable information was compromised in the data breach first announced by Morgan Stanley around July 9, 2020, with a proposed subclass of California residents.
A proposed class action claims Morgan Stanley Smith Barney, LLC failed to properly safeguard customers’ personally identifiable information from falling into the hands of unknown third parties when unencrypted computer hardware was lost.
In early July 2020, the financial services firm began notifying state attorneys general about two data breaches, one occurring in 2016 and the other in 2019, in which customers’ personally identifiable information (PII)—including names, Social Security numbers, passport numbers, addresses, telephone numbers, email addresses, account numbers, dates of birth, incomes, asset values and holding information—may have been exposed to unauthorized third parties, the lawsuit explains.
According to the case, Morgan Stanley closed in 2016 two data centers and hired a vendor to remove customers’ private information from decommissioned computer equipment. The defendant later learned that the data was not fully “wiped” clean, and stated that “certain devices believed to have been wiped of all information still contained some unencrypted data,” the lawsuit alleges.
Per the complaint, the affected equipment is now missing.
In 2019, Morgan Stanley replaced computer servers in several branch locations that still contained customers’ data, which was thought to be encrypted. According to the suit, however, the defendant later learned that a “software flaw” on the old servers left “previously deleted data” on the hard drives “in an unencrypted form.”
The lawsuit alleges that these servers are also missing.
Per the case, Morgan Stanley customers learned of the first breach only after the firm sent out a July 2020 letter informing them of the situation. In subsequent data breach notifications sent to state attorneys general, the defendant reported the 2016 incident and added information about the 2019 incident, the lawsuit says.
Morgan Stanley’s “negligent and/or careless acts and omissions,” coupled with its failure to protect customers’ data, have exposed those affected to a “lifetime risk” of identity theft, the suit charges.
“The missing equipment and servers contain everything unauthorized third-parties need to illegally use Morgan Stanley’s current and former customers’ PII to steal their identities and to make fraudulent purchases, among other things,” the complaint reads, adding that the data can also be sold to criminals on the Dark Web.
The lawsuit charges that Morgan Stanley not only failed to take steps to properly encrypt or destroy customers’ data to prevent the breaches but failed to discover the incidents “for years” and then waited over a year or more to notify affected customers and their states’ attorneys general.
“As a result of this delayed response,” the complaint reads, “Plaintiffs and Class Members were completely unaware their PII had been compromised, and that they were, and continue to be, at significant risk to identity theft and various other forms of personal, social, and financial harm throughout their lives.”
The lawsuit looks to represent anyone whose personally identifiable information was compromised in the data breach first announced by Morgan Stanley around July 9, 2020.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.
Before commenting, please review our comment policy.