Morgan Stanley has been entangled in a class-action lawsuit on account of two separate data hacks. The data hacks included missing equipment that unmasked the personally identifiable information (PII) and also involved Social Security Numbers (SSNs) and account numbers to the third parties.
This particular case, on Thursday, had been brought by a retirement account client and then filed in the U.S. District Court for the New York’s Southern District. It involves unauthorized disclosure of the identity of the clients’ information to the unknown third parties. It is not any breach by a third party in the computer system, as stated by a 33-page complaint.
The 33-Page Complaint
Source: UN District Court
As the complaint states, on or around the 9th of July, Morgan Stanley Smith Barney had started notifying the several state attorneys’ general regarding multiple data leaks that had occurred as early as 2016. Approximately at the same time, Morgan Stanley had mailed a Notice of Data Hacks to the former and the current clients who are affected by the data breaches that occurred in 2016 and 2019.
An account holder at Morgan Stanley for the individual retirement account, Timothy M. Smith, had received the 9th of July notice of the company. The notice stated that the information associated with the account of Mr Smith was supposedly subjected to the data hacks. The account holder then decided for filing a complaint on behalf of himself and as well as the other Morgan Stanley clients.
“We have continuously monitored the situation and have not detected any unauthorized activity related to the matter, nor access to or misuse of personal client information,” a Morgan Stanley spokesperson said in a statement Friday, adding that the firm declined to comment on the lawsuit.
The Missing Equipment
Back in 2016, Morgan Stanley has shut down two of the data centres and had decommissioned the computer equipment.
“Morgan Stanley hired a vendor to remove customers’ data from the equipment,” the complaint states. “Subsequently, Morgan Stanley learned that the data was not fully ‘wiped clean,’ and admits that ‘certain devices believed to have been wiped of all information still contained some unencrypted data.’”
Now, Morgan Stanley said, “that equipment is missing.”
In the year 2019, Morgan Stanley had disconnected and as well as replaced the multiple computer servers in different branch locations. All of those servers were also missing, as the complaint further states.

“The old servers, which still contained customers’ data, were thought to be encrypted, but Morgan Stanley subsequently learned that a ‘software flaw’ on the servers left ‘previously deleted data’ on the hard drives ‘in an unencrypted form.’”
Morgan Stanley “admits that the unencrypted personally identifiable information that has ‘left [its] possession’ included PII from the account holders and any ‘individual(s) associated with your account(s), including account names and numbers (at Morgan Stanley and any linked bank accounts), Social Security number, passport number, contact information, date of birth, asset value and holdings data,” the document states.
The servers and the missing equipment contain each and everything that the unauthorized third parties would require to illegally use Morgan Stanley’s former and current customers’ PII for stealing their identities and also for making fraudulent purchases, amongst the other things, as per the complaint.
“Not only can unauthorized third-parties access defendant’s customers’ PII, the PII can be sold on the dark web,” it states. “Hackers can access and then offer for sale the unencrypted, unredacted PII to criminals.”
The complaint asserts that Morgan Stanley’s “current and former customers face a lifetime risk of identity theft, which is heightened here by the loss of customers’ Social Security number.”
In addition to Morgan Stanley’s failure to prevent the data breach, the complaint states, the bank “failed to detect the data breach for years, and when they did discover the data breach, it took them over a year, possibly longer, to report it to the affected individuals and the states’ Attorneys General.”
Source: Think Advisor
Disclaimer: Read the complete disclaimer here.