A client of the financial institution, o Timothy smith, filed the treatment Morgan Stanley, in the U.S. District Court for the Southern District of New York, on behalf of about 100 clients affected by the infringement data. The lawsuit alleges incidents that occurred in both 2016 and 2019, when the organization deactivated certain computer components, without first taking care to completely remove customer data.
The incidents were confirmed by Morgan Stanley through data breach notification letters sent to the Attorney General of California and Attorneys General of other states. According to what he noted, the data exposed may include account names and numbers, Social Security number, passport number, contact details, date of birth, asset value and possession details. As a remedy, the agency offered customers affected two years of prepaid credit tracking services.
What led to the leak
"In 2016, Morgan Stanley closed two data centers and turned off computer equipment at both sites. As usual, we contacted a vendor to remove the data from Appliances", The letter states. "We later learned that some devices believed to have been cleared of all information still contained some unencrypted data."
In 2019, a second incident took place, where the company disconnected and replaced one server at a local branch containing information on encrypted disks. According to Morgan Stanley: "During a recent inspection, we were unable to locate this device and a software defect on this server could allow some data to be exposed."
The lawsuit alleges that Criminals could steal customers' personal information from these devices and use it for illegal activities.
However, a spokesman for Morgan Stanley said: "We are constantly monitoring the situation and have not identified any unauthorized activity related to the issue or access to or misuse of personal customer information."
Finally, the action also alleges that Morgan Stanley:
- It did not use reasonable security procedures and practices appropriate to the nature of the sensitive, non-encrypted customer information it held.
- It could have prevented data breach by encrypting the data.
- Failed to set an example from a similar previous event.