Morgan Stanley Agrees to Data Breach Settlement
A class-action lawsuit was filed against the company in July 2020 over two security breaches that compromised the personal data of approximately 15 million of its customers.
The suit alleges that Morgan Stanley failed to safeguard the personally identifiable information (PII) of its current and former clients. According to the plaintiffs, data center equipment decommissioned by Morgan Stanley in 2016 and 2019 was not wiped clean properly.
The plaintiffs allege that a software flaw meant that sensitive data stored on the old servers and other technology was visible in an unencrypted format to whoever purchased the decommissioned equipment.
It is further alleged that some of the equipment went missing after it was decommissioned.
An investigation into the security incident was launched by the Office of the Comptroller of the Currency (OCC) after a vendor contacted Morgan Stanley in 2017 to inform the company that data belonging to its clients was accessible via the old technology.
In July 2020, Morgan Stanley began notifying current and former clients who had been impacted by the data security incident.