Morgan Stanley Agrees to Data Breach Settlement

American multinational investment bank and financial services company Morgan Stanley has agreed to pay $60m to settle a legal claim over data security.

A class-action lawsuit was filed against the company in July 2020 over two security breaches that compromised the personal data of approximately 15 million of its customers.

The suit alleges that Morgan Stanley failed to safeguard the personally identifiable information (PII) of its current and former clients. According to the plaintiffs, data center equipment decommissioned by Morgan Stanley in 2016 and 2019 was not wiped clean properly.

The plaintiffs allege that a software flaw meant that sensitive data stored on the old servers and other technology was visible in an unencrypted format to whoever purchased the decommissioned equipment. 

It is further alleged that some of the equipment went missing after it was decommissioned.

An investigation into the security incident was launched by the Office of the Comptroller of the Currency (OCC) after a vendor contacted Morgan Stanley in 2017 to inform the company that data belonging to its clients was accessible via the old technology. 

In July 2020, Morgan Stanley began notifying current and former clients who had been impacted by the data security incident. 

Three months later, the OCC issued Morgan Stanley with a consent order for the assessment of a $60m civil penalty.

The OCC found Morgan Stanley “failed to effectively assess or address risks associated with decommissioning its hardware; failed to adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance; and failed to maintain appropriate inventory of customer data stored on the decommissioned hardware devices” in connection with decommissioning two Wealth Management business data centers located in the US in 2016.

“In 2019, the banks experienced similar vendor management control deficiencies in connection with decommissioning other network devices that also stored customer data,” stated the OCC.

The $60m data breach settlement now awaits the approval of a federal judge in Manhattan.

In a statement issued Monday, Morgan Stanley said: “We have previously notified all potentially impacted clients regarding these matters, which occurred several years ago, and are pleased to be resolving this related litigation.”