Morgan Stanley is embroiled in a class-action lawsuit over two separate data breaches involving missing equipment that exposed clients’ personal identifiable information — including Social Security and account numbers — to third parties.
The case, brought by a retirement account client and filed in the U.S. District Court for the Southern District of New York on Thursday, involves an unauthorized disclosure of clients’ identity information to unknown third parties and not a breach of a computer system by a third party, the 33-page complaint states.
According to the complaint, on or about July 9, Morgan Stanley Smith Barney began notifying various state attorneys general about multiple data breaches that occurred as early as 2016. Around the same time, Morgan Stanley mailed a Notice of Data Breach to current and former clients affected by the breaches, which occurred in 2016 and 2019.
Timothy M. Smith, a holder of a Morgan Stanley individual retirement account, received Morgan Stanley’s July 9 notice, which stated that information associated with his account was likely subject to the data breach. Smith then decided to file a complaint on behalf of himself and other Morgan Stanley clients.
“We have continuously monitored the situation and have not detected any unauthorized activity related to the matter, nor access to or misuse of personal client information,” a Morgan Stanley spokesperson said in a statement Friday, adding that the firm declined to comment on the lawsuit.
In 2016, Morgan Stanley closed two data centers and decommissioned the computer equipment.
“Morgan Stanley hired a vendor to remove customers’ data from the equipment,” the complaint states. “Subsequently, Morgan Stanley learned that the data was not fully ‘wiped clean,’ and admits that ‘certain devices believed to have been wiped of all information still contained some unencrypted data.’”
Now, Morgan Stanley said, “that equipment is missing.”
In 2019, Morgan Stanley disconnected and replaced multiple computer servers in various branch locations.