Morgan Stanley agrees to $60 million settlement in data breach lawsuit

Customer data was held on legacy equipment that was later sold on without being wiped.
Written by Charlie Osborne, Contributing Writer

Morgan Stanley has agreed to a settlement figure of $60 million to resolve a data breach lawsuit. 

The US bank and financial services giant was subject to a class-action suit following two data exposure incidents involving approximately 15 million current and former clients. 

According to the motion (.PDF), legacy equipment was decommissioned in 2016 and 2019 that contained the personally identifiable information (PII) of clients. However, the equipment was not wiped clean of this sensitive information prior to sale and the datasets may have then been exposed, in an unencrypted fashion, and available to view by the purchasing parties. 

Court documents suggest the retired equipment included old servers and other data center technology. 

In 2017, Morgan Stanley was contacted by one of these vendors who told the company that they had access to client data. 

"In 2020, after an investigation, the Office of Comptroller of Currency (OCC) directed Morgan Stanley to provide notice of the Data Security Incidents to its potentially affected current and former clients," the motion reads. "Morgan Stanley began distributing notice letters in July 2020. The action by the OCC resulted in a consent order stating that Morgan Stanley "failed to effectively assess or address the risks associated with the decommissioning of its hardware."

Following notification, a class-action lawsuit was launched in 2020. Separately, a $60 million fine was issued by the OCC for data protection failures. 

Morgan Stanley has denied claims of liability. However, if the settlement amount is approved by a Manhatten federal court judge, $60 million will be awarded to those potentially impacted through a settlement fund. 

Claimants will be entitled to at least 24 months of fraud insurance services and each class member can claim up to $10,000 for out-of-pocket expenses and $100 in 'lost time,' (four hours at $25 per hour) although further lost hours will be considered if acceptable evidence is provided.

The bank has also agreed to hire a third party to try and locate outstanding equipment for 12 months, some of which has been recovered. 

Morgan Stanley told Bloomberg in a statement, "We have previously notified all potentially impacted clients regarding these matters, which occurred several years ago, and are pleased to be resolving this related litigation."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards