Morgan Stanley is embroiled in a class-action lawsuit over two separate data breaches involving missing equipment that exposed clients’ personal identifiable information — including Social Security and account numbers — to third parties.
The case, brought by a retirement account client and filed in the U.S. District Court for the Southern District of New York on Thursday, involves an unauthorized disclosure of clients’ identity information to unknown third parties and not a breach of a computer system by a third party, the 33-page complaint states.
According to the complaint, on or about July 9, Morgan Stanley Smith Barney began notifying various state attorneys general about multiple data breaches that occurred as early as 2016. Around the same time, Morgan Stanley mailed a Notice of Data Breach to current and former clients affected by the breaches, which occurred in 2016 and 2019.
Timothy M. Smith, a holder of a Morgan Stanley individual retirement account, received Morgan Stanley’s July 9 notice, which stated that information associated with his account was likely subject to the data breach. Smith then decided to file a complaint on behalf of himself and other Morgan Stanley clients.
“We have continuously monitored the situation and have not detected any unauthorized activity related to the matter, nor access to or misuse of personal client information,” a Morgan Stanley spokesperson said in a statement Friday, adding that the firm declined to comment on the lawsuit.
In 2016, Morgan Stanley closed two data centers and decommissioned the computer equipment.
“Morgan Stanley hired a vendor to remove customers’ data from the equipment,” the complaint states. “Subsequently, Morgan Stanley learned that the data was not fully ‘wiped clean,’ and admits that ‘certain devices believed to have been wiped of all information still contained some unencrypted data.’”
Now, Morgan Stanley said, “that equipment is missing.”
In 2019, Morgan Stanley disconnected and replaced multiple computer servers in various branch locations.
“The old servers, which still contained customers’ data, were thought to be encrypted, but Morgan Stanley subsequently learned that a ‘software flaw’ on the servers left ‘previously deleted data’ on the hard drives ‘in an unencrypted form.’”
Those servers also are missing, according to the complaint.
Morgan Stanley “admits that the unencrypted personal identifiable information that has ‘left [its] possession’ included PII from the account holders and any ‘individual(s) associated with your account(s), including account names and numbers (at Morgan Stanley and any linked bank accounts), Social Security number, passport number, contact information, date of birth, asset value and holdings data,” the document states.
The missing equipment and servers contain everything unauthorized third parties need to illegally use Morgan Stanley’s current and former customers’ PII to steal their identities and to make fraudulent purchases, among other things, according to the complaint.
“Not only can unauthorized third-parties access defendant’s customers’ PII, the PII can be sold on the dark web,” it states. “Hackers can access and then offer for sale the unencrypted, unredacted PII to criminals.”
The complaint asserts that Morgan Stanley’s “current and former customers face a lifetime risk of identity theft, which is heightened here by the loss of customers’ Social Security number.”
In addition to Morgan Stanley’s failure to prevent the data breach, the complaint states, the bank “failed to detect the data breach for years, and when they did discover the data breach, it took them over a year, possibly longer, to report it to the affected individuals and the states’ Attorneys General.”