Morgan Stanley says it has not detected unauthorized use of personal information related to the recent data security incidents. | Chim/Shutterstock[/caption]
Financial institution Morgan Stanley recently told customers an ITAD vendor's mistakes may have left personal information susceptible to misuse. Multiple clients have filed suit against the investment firm.
Morgan Stanley on July 10 wrote to clients disclosing "potential data security incidents" related to their personal information. The incidents occurred during multiple ITAD processes over the past four years, according to the letter.
"In 2016, Morgan Stanley closed two data centers and decommissioned the computer equipment in both locations," the company wrote. "As is customary, we contracted with a vendor to remove the data from the devices. We subsequently learned that certain devices believed to have been wiped of all information still contained some unencrypted data."
In an incident in 2019, another ITAD project involved retiring and replacing computer servers in multiple local branch offices, according to a separate notification the company issued to the Iowa Attorney General's Office. These retired servers may have stored personal information.
"During a recent inventory, we were unable to locate a small number of those devices," wrote Gerard Brady, chief information security officer for Morgan Stanley. "The manufacturer subsequently informed us of a software flaw that could have resulted in small amounts of previously deleted data remaining on the disks in unencrypted form."
Morgan Stanley will pay for two years of credit monitoring for customers whose data may have been breached, according to the notifications. The company will also pay for free "identity restoration" services if a client's information is found to be compromised.
In a statement to E-Scrap News, a Morgan Stanley spokesperson said company officials have "continuously monitored the situation and have not detected any unauthorized activity related to the matter, nor access to or misuse of personal client data."
In both instances, Morgan Stanley "investigated the disposition and handling of the devices, and worked with outside technical experts to understand any potential risks to customer data in light of the technical characteristics and configuration of each of the relevant devices," according to the notification to the Iowa Attorney General.
Morgan Stanley did not name the contracted processor that handled the decommissioning events in question. According to a report in AdvisorHub that cited an unnamed source, Morgan Stanley is "considering appropriate legal action against the firm hired to scrub the data."
The data security incidents have so far spurred two class action lawsuits against Morgan Stanley on behalf of clients concerned about their personally identifiable information being breached. Filed on July 29 and July 31 in the U.S. District Court for the Southern District of New York, the lawsuits allege negligence, invasion of privacy and unjust enrichment for failing to properly protect clients' information.
The personal information of clients was compromised due to Morgan Stanley's "negligent and/or careless acts and omissions and the failure to protect customers' data," according to the July 31 lawsuit. "In addition to Morgan Stanley's failure to prevent the data breach, defendant failed to detect the data breach for years, and when they did discover the data breach, it took them over a year, possibly longer, to report it to the affected individuals and the states' attorneys general."
The lawsuits ask the court to compel Morgan Stanley to use "appropriate cyber security methods and policies with respect to [personally identifiable information] collection, storage, protection and disposal," among other actions.
Morgan Stanley has not filed a response in court. The company declined to comment to E-Scrap News on the legal actions.
[caption id="attachment_14206" align="aligncenter" width="900"] Morgan Stanley says it has not detected unauthorized use of personal information related to the recent data security incidents. | Chim/Shutterstock[/caption]
Financial institution Morgan Stanley recently told customers an ITAD vendor's mistakes may have left personal information susceptible to misuse. Multiple clients have filed suit against the investment firm.
Morgan Stanley on July 10 wrote to clients disclosing "potential data security incidents" related to their personal information. The incidents occurred during multiple ITAD processes over the past four years, according to the letter.
"In 2016, Morgan Stanley closed two data centers and decommissioned the computer equipment in both locations," the company wrote. "As is customary, we contracted with a vendor to remove the data from the devices. We subsequently learned that certain devices believed to have been wiped of all information still contained some unencrypted data."
In an incident in 2019, another ITAD project involved retiring and replacing computer servers in multiple local branch offices, according to a separate notification the company issued to the Iowa Attorney General's Office. These retired servers may have stored personal information.
"During a recent inventory, we were unable to locate a small number of those devices," wrote Gerard Brady, chief information security officer for Morgan Stanley. "The manufacturer subsequently informed us of a software flaw that could have resulted in small amounts of previously deleted data remaining on the disks in unencrypted form."
Morgan Stanley will pay for two years of credit monitoring for customers whose data may have been breached, according to the notifications. The company will also pay for free "identity restoration" services if a client's information is found to be compromised.
In a statement to E-Scrap News, a Morgan Stanley spokesperson said company officials have "continuously monitored the situation and have not detected any unauthorized activity related to the matter, nor access to or misuse of personal client data."
In both instances, Morgan Stanley "investigated the disposition and handling of the devices, and worked with outside technical experts to understand any potential risks to customer data in light of the technical characteristics and configuration of each of the relevant devices," according to the notification to the Iowa Attorney General.
Morgan Stanley did not name the contracted processor that handled the decommissioning events in question. According to a report in AdvisorHub that cited an unnamed source, Morgan Stanley is "considering appropriate legal action against the firm hired to scrub the data."
The data security incidents have so far spurred two class action lawsuits against Morgan Stanley on behalf of clients concerned about their personally identifiable information being breached. Filed on July 29 and July 31 in the U.S. District Court for the Southern District of New York, the lawsuits allege negligence, invasion of privacy and unjust enrichment for failing to properly protect clients' information.
The personal information of clients was compromised due to Morgan Stanley's "negligent and/or careless acts and omissions and the failure to protect customers' data," according to the July 31 lawsuit. "In addition to Morgan Stanley's failure to prevent the data breach, defendant failed to detect the data breach for years, and when they did discover the data breach, it took them over a year, possibly longer, to report it to the affected individuals and the states' attorneys general."
The lawsuits ask the court to compel Morgan Stanley to use "appropriate cyber security methods and policies with respect to [personally identifiable information] collection, storage, protection and disposal," among other actions.
Morgan Stanley has not filed a response in court. The company declined to comment to E-Scrap News on the legal actions.
Morgan Stanley says it has not detected unauthorized use of personal information related to the recent data security incidents. | Chim/Shutterstock[/caption]
Financial institution Morgan Stanley recently told customers an ITAD vendor's mistakes may have left personal information susceptible to misuse. Multiple clients have filed suit against the investment firm.
Morgan Stanley on July 10 wrote to clients disclosing "potential data security incidents" related to their personal information. The incidents occurred during multiple ITAD processes over the past four years, according to the letter.
"In 2016, Morgan Stanley closed two data centers and decommissioned the computer equipment in both locations," the company wrote. "As is customary, we contracted with a vendor to remove the data from the devices. We subsequently learned that certain devices believed to have been wiped of all information still contained some unencrypted data."
In an incident in 2019, another ITAD project involved retiring and replacing computer servers in multiple local branch offices, according to a separate notification the company issued to the Iowa Attorney General's Office. These retired servers may have stored personal information.
"During a recent inventory, we were unable to locate a small number of those devices," wrote Gerard Brady, chief information security officer for Morgan Stanley. "The manufacturer subsequently informed us of a software flaw that could have resulted in small amounts of previously deleted data remaining on the disks in unencrypted form."
Morgan Stanley will pay for two years of credit monitoring for customers whose data may have been breached, according to the notifications. The company will also pay for free "identity restoration" services if a client's information is found to be compromised.
In a statement to E-Scrap News, a Morgan Stanley spokesperson said company officials have "continuously monitored the situation and have not detected any unauthorized activity related to the matter, nor access to or misuse of personal client data."
In both instances, Morgan Stanley "investigated the disposition and handling of the devices, and worked with outside technical experts to understand any potential risks to customer data in light of the technical characteristics and configuration of each of the relevant devices," according to the notification to the Iowa Attorney General.
Morgan Stanley did not name the contracted processor that handled the decommissioning events in question. According to a report in AdvisorHub that cited an unnamed source, Morgan Stanley is "considering appropriate legal action against the firm hired to scrub the data."
The data security incidents have so far spurred two class action lawsuits against Morgan Stanley on behalf of clients concerned about their personally identifiable information being breached. Filed on July 29 and July 31 in the U.S. District Court for the Southern District of New York, the lawsuits allege negligence, invasion of privacy and unjust enrichment for failing to properly protect clients' information.
The personal information of clients was compromised due to Morgan Stanley's "negligent and/or careless acts and omissions and the failure to protect customers' data," according to the July 31 lawsuit. "In addition to Morgan Stanley's failure to prevent the data breach, defendant failed to detect the data breach for years, and when they did discover the data breach, it took them over a year, possibly longer, to report it to the affected individuals and the states' attorneys general."
The lawsuits ask the court to compel Morgan Stanley to use "appropriate cyber security methods and policies with respect to [personally identifiable information] collection, storage, protection and disposal," among other actions.
Morgan Stanley has not filed a response in court. The company declined to comment to E-Scrap News on the legal actions.
Categories