Morgan Stanley customer Timothy Smith filed a $5 million lawsuit to the Southern District of New York Court over data mismanagement committed by the financial institution.
Smith represented 100 other customers affected by the data breach linked to the breach. According to the filed suit, Morgan Stanley failed to properly discard data from old computer equipment in 2016.
When the bank decommissioned several pieces of the computer without deleting the personal data, it violates the law of protecting customers’ data. The financial firm received notification letters from the California attorney general detailing the complaints of the affected customers.
According to the letters, compromised data include account names, Social Security numbers, passport numbers, contact information, date of birth, and other valuable data assets.
The 33-page lawsuit detailed the two separate data breaches that exposed the data of customers to third parties. The suit stated that the financial institution only notified the authorities on July 9 following the multiple breaches that occurred between 2016 to 2019.
Back in 2016, Morgan Stanley closed two data centers and hired a third-party to remove the customers’ data from the computers. However, the bank later learned that not all data was fully wiped out, and other devices contained unencrypted data.
In Morgan Stanley’s report submitted to the state attorney general, the computers were tagged as missing, contrary to what really happened. Last year, the firm also disconnected and replaced some servers in various locations.
These servers contained the customers’ data and the firm found out there’s a software flaw that encrypted the information. All along the bank believed that the previously deleted data was still on the hard drives in an unencrypted form, leading to exposure.
Morgan Stanley admits to the unencrypted personal information under their possession, which contained the account holders’ name, account numbers, linked bank accounts, Social Security number, and other information.
“Not only can unauthorized third-parties access the defendant’s customers’ PII, but the PII can also be sold on the dark web. Hackers can access and then offer for sale the unencrypted, unredacted PII to criminals,” state in the lawsuit.
In addition to the complaint about the poor data management, the lawsuit also stated Morgan Stanley’s failure to discover the breach and report to the authorities. Moreover, the firm failed to use security procedures and practices to maintain or wipe out the information.
Meanwhile, the bank spokesperson said they are continuously monitoring the situation and ‘have not detected any unauthorized activity related to the matter.”