The U.S. investment bank and financial services company Morgan Stanley recently agreed to pay $60 million to settle a data breach class-action lawsuit. The proposed fine results from two data leak incidents that affected personally identifiable information (PII) of over 15 million current and former clients of Morgan Stanley.
As per the lawsuit filed in a U.S. District Court for the Southern District of New York, the affected class members will be compensated up to $10,000 for out-of-pocket losses along with two years of fraud insurance coverage.
Data Breach in Brief
Plaintiffs allege that Morgan Stanley failed to delete the information of over 15 million of its current and former clients in 2016 and 2019 from its IT platform before selling it to third parties. An investigation by the Office of Comptroller of Currency (OCC) revealed that Morgan Stanley violated the data privacy laws by exposing its clients’ sensitive data to third parties.
The exposed information included customers’ date of birth, social security numbers, home and work contact information, the identity of spouses and children, and passport, banking, and credit card information.
“Morgan Stanley first learned of the 2016 Data Security Incident in October 2017, when it was contacted by a third party who said he had bought used IT equipment from an internet vendor and had access to Morgan Stanley data. In 2020, the OCC directed Morgan Stanley to provide notice of the Data Security Incidents to its potentially affected current and former clients. Morgan Stanley began distributing notice letters in July 2020. The action by the OCC resulted in a consent order stating that Morgan Stanley failed Case 1:20-cv-05914-AT Document 81-1 Filed 12/31/21 Page 6 of 38 – 4 – to effectively assess or address the risks associated with the decommissioning of its hardware,” the lawsuit said.
Morgan Stanley and Data Breaches
Morgan Stanley has been stuck in multiple data breach incidents over the year. The global financial services provider recently reported a data breach after unknown hackers stole its customers’ private data by exploiting the bug in the Accellion File Transfer Appliance (FTA) server hosted by a third-party vendor. Morgan Stanley has a huge client base, including public and private organizations, government entities, and institutions across the globe. The data breach could impact the company in several aspects.