Morgan Stanley, a financial services provider, finds itself stuck in a data breach suit filed by one of its customers, Timothy Smith. The suit claims class action status and alleges Morgan Stanley of improper handling of historical customer data dating as early as 2016. According to Smith, Morgan Stanley failed to thoroughly dispose its data, which led to the potential exposure of his and other customers’ personally identifiable information (PII).
How it Happened
Morgan Stanley reported to the Attorney General and notified its affected customers about two separate data exposure incidents. The first took place in 2016 when Morgan Stanley shut down two of its data centers and correspondingly decommissioned the computer equipment at both locations. As per their standard operating procedure (SOP), a contracted vendor was assigned to delete and dispose all the data from these devices. However, it was later learned that some of these devices still contained historical data of some customers in an unencrypted format.
In the second incident that took place in 2019, Morgan Stanley disconnected and replaced a computer server in a local branch office. This server contained information in encrypted disks that may have had personal information. During a recent inventory check, the company authorities were unable to locate this decommissioned server. Additionally, the server manufacturer subsequently informed Morgan Stanley of a software flaw that could potentially result in small amounts of previously deleted data remaining on the disks in an unencrypted form.
What is at Risk
The IT authority at Morgan Stanley in its self-assessment found that data pertaining to customer account(s) including PII like account names and numbers (at Morgan Stanley and any linked bank accounts), Social Security number (SSN), passport number (if mentioned), contact information, date of birth, asset value and holdings data were exposed. However, this data did not include online passwords of Morgan Stanley accounts.
What Next for Morgan Stanley
Morgan Stanley is closely monitoring the compromised accounts for any suspicious activity but has not yet detected any misuse of the exposed data. They are also providing the affected customers with a 24-months free credit and identity monitoring service, in case there is a misuse of their identity.
However, the lawsuit alleges, “PII was compromised due to Morgan Stanley’s negligent and/or careless acts and omissions and the failure to protect customers’ data. In addition to Morgan Stanley’s failure to prevent the data breach, the defendant failed to detect the data breach for years, and when they did discover the data breach, it took them over a year, possibly longer, to report it to the affected individuals and the states’ attorneys general.”
Smith also pointed out in the lawsuit that Morgan Stanley did not use reasonable security procedures and practices. They could have prevented the data breach by encrypting the data. This case does not involve a direct breach of a computer system by a third party, but rather an unauthorized disclosure of the PII. Thus, it would be interesting to see the lawmakers’ verdict on this data breach class action suit.