The bank and its customers have filed a preliminary settlement in the Manhattan Federal Court last Friday. U.S. District Judge Analisa Torres must give her approval to finalize the settlement.
Details of the Lawsuit against Morgan Stanley
A class representing 15 million Morgan Stanley customers filed a lawsuit against the bank for exposing their personal information. The customers claimed that, in 2016, Morgan Stanley did not decommission two wealth management data centers. This led to the resale of unencrypted customer data to unauthorized vendors. They also allege that, in 2019, some older Morgan Stanley data servers which contained customer data went missing after they were transferred to an outside vendor. According to court documents, the bank managed to recover the servers later. Morgan Stanley has already paid a civil fine to the tune of $60 Million to the United States Office of the Comptroller of Currency (OCC) for this incident. The OCC is an independent government body that ensures banks comply with American laws. The OCC’s order states that the bank “failed to effectively assess or address the risks associated with the decommissioning of its hardware; failed to adequately assess the risk of using third-party vendors, including subcontractors; and failed to maintain an appropriate inventory of customer data stored on the devices.”
Morgan Stanley Denies Wrongdoing, Says Made “Substantial” Upgrades
According to court papers, the settlement will provide customers with at least two years of fraud insurance coverage. They can also each apply for reimbursement for out-of-pocket losses of up to $10,000. As part of the settlement, Morgan Stanley has denied any wrongdoing. It also claims to have made “substantial” upgrades to existing security practices. The lawsuit states that the data centers contained unencrypted and highly sensitive personally identifiable information. The information included names, addresses, passport details, bank account details, and social security numbers. In the current environment, this represents a treasure trove of information for hackers and other cybercriminals. For example, personal information such as names and email addresses can easily be used to launch targeted phishing attacks. You can check out our resource to learn more about phishing and how you can protect yourself.