Morgan Stanley, an investment bank and financial services company, has agreed to pay $60 million to settle a legal class-action lawsuit filed against them in July 2020 over two security breaches that compromised the personal data of approximately 15 million of its customers. The $60 million data breach settlement now awaits a federal judge's approval in Manhattan.
The suit alleges that Morgan and Stanley failed to safeguard its clients' Personally Identifiable Information (PII). It is further alleged that some of the company's equipment went missing after it was decommissioned.
According to the complainant, data center equipment decommissioned by Morgan Stanley in 2016 and 2019 was not wiped clean in a proper manner, and a software flaw meant that sensitive data stored on the old servers and other technologies would be visible in an unencrypted form to the person that purchased the decommissioned equipment.
An investigation into this incident was conducted by the Office of Comptroller of the Currency (OCC) after a vendor contacted Morgan and Stanley in 2017 to inform them that the data belonging to their clients was accessible via the old technology. In July 2020, the company began notifying its current and former clients impacted by the data security breach. Three months later, OCC issued Morgan Stanley with a consent order to assess a $60 million civil penalty.