Morgan Stanley is facing a $5 million lawsuit for not protecting the information of clients when old computer equipment was disposed of. According to the suit, Morgan Stanley failed to scrub personally identifiable information from the computers and failed to alert affected customers in due time.
Who is suing?
Timothy Smith, a retired accountant and former client of Morgan Stanley, is leading the suit on behalf of 100 customers affected by the data breach. The affected customers are afraid their information may be sold on the dark web or used by criminals.
According to the complaint,
Not only can unauthorized third-parties access defendant’s customers’ PII, the PII can be sold on the dark web.
It also states,
Hackers can access and then offer for sale the unencrypted, unredacted PII to criminals.
There is always the potential of identity theft when a data breach of this nature occurs.
A case of negligence and carelessness
Morgan Stanley has confirmed the breach. In a letter issued to the Attorney General of California, the company confirmed that personally identifiable information such as account names, passport number, contact information and date of birth could have been exposed.
The suit alleges that Morgan Stanley did not prevent the data breaches because of negligence. The first data breach happened in 2016 when Morgan Stanley closed two data centres. They hired a vendor to remove data from the decommissioned computers, however, the computers were not completely scrubbed and personal data was left unencrypted. Some computers are now missing.
In 2019, Morgan Stanley replaced a computer server in one of their local branches. They also left unencrypted information on the servers. According to the complaint, some of these servers are missing. Morgan Stanley reported they could not locate the device and information could have been exposed because of a “software flaw”.
As the lawsuit alleges, Morgan Stanley not only failed to learn from a previous incident, when they discovered the breach, it took them a year to report it to the agency and alert the people that were affected.
This incident poses important lessons for organisations,
1. It is important that you put in place security procedures and practices to protect sensitive customer information, especially when unencrypted.
2. If you are dealing with a data breach, inform your affected clients in due time. Offer support on how they can cope with the exposure of their information.
3. There can be a severe penalty for failing to prevent a data breach. Be proactive in auditing your operations to spot gaps that could lead to a data breach. Get in touch with us for a consultation.
Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.