Morgan Stanley to Pay 6 States $6.5M Over Client Data Security

The firm failed to erase customer information from old hard drives and servers before auctioning them off.

New York Attorney General Letitia James and a coalition of five attorneys general reached a $6.5 million agreement Thursday with Morgan Stanley Smith Barney LLC for compromising the personal information of millions of customers nationwide.

According to James’ office, Morgan Stanley “failed to decommission its computers and erase unencrypted data in certain computer devices that were later auctioned while still containing consumers’ personal information, including data belonging to 1.1 million New Yorkers.”

New York, according to James, will receive $1,658,047 from the settlement and Morgan Stanley will be required to strengthen its data security measures.

The other states are Connecticut, Florida, Indiana, New Jersey and Vermont.

“No one should have their personal information auctioned off without their knowledge because a company failed to take basic steps to erase it before selling their old computers,” James said in a statement.

“Today’s agreement requires Morgan Stanley to bolster its cybersecurity so consumers will never again have to risk their personal data unintentionally being sold at an auction,” James said. “Companies, big and small, must all take their responsibility to protect their customers’ data seriously, and if they do not, my office will take action.”

The two data incidents were reported in July 2020.

Morgan Stanley, according to James, “hired a moving company with no experience in data destruction services to decommission thousands of hard drives and servers containing sensitive information of millions of its customers.”

Morgan Stanley then “failed to properly monitor the moving company’s work, and its computer equipment, some of which still contained private consumer information, was then sold at auction.”

Morgan Stanley was only made aware of the problem when a purchaser discovered the data and called the company, according to James’ office.

In a second incident, Morgan Stanley discovered during a decommissioning process that 42 servers, all potentially containing unencrypted customer information, were missing.

“During this process, the company learned that the local devices being decommissioned may have contained unencrypted data due to a manufacturer flaw in the encryption software,” the order states.

The multistate investigation found that Morgan Stanley “failed to maintain adequate vendor controls and hardware inventories, and that had these controls been in place, both data security events could have been prevented,” James said.

Morgan Stanley said in a statement that the firm has “previously notified all potentially impacted clients regarding these matters, which occurred several years ago, and are pleased to have resolved this related investigation.”