The investment bank Morgan Stanley faces a $5 million class action lawsuit following claims that it failed to secure personal data that was stored on discarded computers.
The suit has been brought by Morgan Stanley customer Timothy Smith in the U.S. District Court for the Southern District of New York, on behalf of approximately 100 customers whose information was breached in separate incidents in 2016 and 2019.
Morgan Stanley confirmed the breaches in a notification letter, adding that the exposed data included customers’ bank account names and numbers, Social Security numbers, passport numbers, contact details, dates of birth, and asset value and holdings.
The organization initially offered victims two years of prepaid credit monitoring services, but the lawsuit means that they may now be entitled to much more significant compensation.
How did the breach occur?
According to Morgan Stanley’s data breach notification, the 2016 incident occurred after the organization closed down two data centers and decommissioned the computer equipment.
The firm said it hired a third party to wipe the devices, but it later learned that some unencrypted information remained on the devices.
The 2019 incident occurred after Morgan Stanley disconnected and replaced a computer server in a local branch office that contained information on encrypted disks.
Unfortunately, a recent inventory revealed that the device had been misplaced and a software flaw in the server could have exposed some of the data that was stored on it.
The lawsuit argues that Morgan Stanley failed to take appropriate safeguards to secure the information, exposing those affected to identity theft and fraud.
A Morgan Stanley spokesperson said the organization is confident that the information has not been misused – and although that will be a relief to data subjects, it doesn’t absolve the organization of its errors.
The lawsuit makes this clear, stating that the complaint doesn’t concern the misuse of data, but that Morgan Stanley failed to meet its legal requirement to protect it.
It adds that it took Morgan Stanley several years to detect the first incident and over a year after that to report it to affected individuals and the states’ attorneys general.
Are you prepared for a data breach?
This incident demonstrates how important it is for organizations to not only implement information security defenses but also identify when something has gone wrong.
Every business will suffer a security incident sooner or later. There are simply too many risks and vulnerabilities to tackle.
But in many cases, the difference between a low-risk error and a major issue is the organization’s ability to detect the incident quickly and respond appropriately.
At IT Governance, we can help you help you understand your requirements when responding to a security incident, with specialist advice on the likes of HIPAA (Health Insurance Portability and Accountability Act) and the CCPA (California Consumer Privacy Act).
Our team of experts can tailored advice based on your needs, whether you’re looking for advice on a specific problem or are considering larger changes, such as committing to staff awareness or implementing ISO 27001.