[BreachExchange] Morgan Stanley Is Sued Over Data Breaches Tied to Missing Equipment

[Destry Winant]

https://www.thinkadvisor.com/2020/08/28/morgan-stanley-hit-with-data-breach-suit-tied-to-missing-equipment/

Morgan Stanley is embroiled in a class-action lawsuit over two
separate data breaches involving missing equipment that exposed
clients’ personal identifiable information — including Social Security
and account numbers —  to third parties.

The case, brought by a retirement account client and filed in the U.S.
District Court for the Southern District of New York on Thursday,
involves an unauthorized disclosure of clients’ identity information
to unknown third parties and not a breach of a computer system by a
third party, the 33-page complaint states.

According to the complaint, on or about July 9, Morgan Stanley Smith
Barney began notifying various state attorneys general about multiple
data breaches that occurred as early as 2016. Around the same time,
Morgan Stanley mailed a Notice of Data Breach to current and former
clients affected by the breaches, which occurred in 2016 and 2019.

Timothy M. Smith, a holder of a Morgan Stanley individual retirement
account, received Morgan Stanley’s July 9 notice, which stated that
information associated with his account was likely subject to the data
breach. Smith then decided to file a complaint on behalf of himself
and other Morgan Stanley clients.

“We have continuously monitored the situation and have not detected
any unauthorized activity related to the matter, nor access to or
misuse of personal client information,” a Morgan Stanley spokesperson
said in a statement Friday, adding that the firm declined to comment
on the lawsuit.

Missing Equipment

In 2016, Morgan Stanley closed two data centers and decommissioned the
computer equipment.

“Morgan Stanley hired a vendor to remove customers’ data from the
equipment,” the complaint states. “Subsequently, Morgan Stanley
learned that the data was not fully ‘wiped clean,’ and admits that
‘certain devices believed to have been wiped of all information still
contained some unencrypted data.’”

Now, Morgan Stanley said, “that equipment is missing.”

In 2019, Morgan Stanley disconnected and replaced multiple computer
servers in various branch locations.

“The old servers, which still contained customers’ data, were thought
to be encrypted, but Morgan Stanley subsequently learned that a
‘software flaw’ on the servers left ‘previously deleted data’ on the
hard drives ‘in an unencrypted form.’”

Those servers also are missing, according to the complaint.

Morgan Stanley “admits that the unencrypted personal identifiable
information that has ‘left [its] possession’ included PII from the
account holders and any ‘individual(s) associated with your
account(s), including account names and numbers (at Morgan Stanley and
any linked bank accounts), Social Security number, passport number,
contact information, date of birth, asset value and holdings data,”
the document states.

The missing equipment and servers contain everything unauthorized
third parties need to illegally use Morgan Stanley’s current and
former customers’ PII to steal their identities and to make fraudulent
purchases, among other things, according to the complaint.

“Not only can unauthorized third-parties access defendant’s customers’
PII, the PII can be sold on the dark web,” it states. “Hackers can
access and then offer for sale the unencrypted, unredacted PII to
criminals.”

The complaint asserts that Morgan Stanley’s “current and former
customers face a lifetime risk of identity theft, which is heightened
here by the loss of customers’ Social Security number.”

In addition to Morgan Stanley’s failure to prevent the data breach,
the complaint states, the bank “failed to detect the data breach for
years, and when they did discover the data breach, it took them over a
year, possibly longer, to report it to the affected individuals and
the states’ Attorneys General.”