Morgan Stanley Unauthorized Exposure of Customer PII Class Action

This class action brings suit against Morgan Stanley Smith Barney, LLC, for its alleged failure to safeguard customers’ personal identifiable information (PII). The complaint alleges that the company disclosed, without authorization, customer names, Social Security numbers, passport numbers, and other information, then did not provide timely, adequate or accurate notice about the loss of their PII.

The Nationwide Class for this action is all individuals whose PII was compromised in the data breach first announced by Morgan Stanley on or about July 9, 2020. There is also a California Subclass for those living in California.

Morgan Stanley, an investment company, sells securities and other financial products. When individuals apply to use their services, they are required to give the company extensive PII. The complaint quotes the company as saying it will protect “the confidentiality and security of client information” using “computer safeguards and secured files and buildings.” According to the complaint, even when customers close their accounts, their information still remains on file with the company.

In July 2020, the company began sending notices to a number of state Attorneys General about data breaches that occurred as early as 2016. It also sent notices of a data breach to customers.

What had happened? The complaint points to two instances of missing equipment.

In 2016, the complaint says, Morgan Stanley closed two data centers and took the computer equipment out of operation. It hired someone to remove customer data from the equipment, but later learned that not all the data was removed. The company says that “certain devices believed to have been wiped of all information still contained some unencrypted data.” Now, the company says, the equipment is missing.

In 2019, the complaint says, Morgan Stanley replaced computer servers at various branches. The old servers, which still retained customer PII, were supposed to be encrypted. However, the company later found out that a “software flaw” had left “previously deleted data” on the servers “in an unencrypted form.” Those servers are also now missing.

The complaint alleges, “This missing equipment and servers contain everything unauthorized third[] parties need to illegally use Morgan Stanley’s current and former customers’ PII to steal their identities and to make fraudulent purchases, among other things.”

The company is at fault in more than one way, the complaint claims: “In addition to Morgan Stanley’s failure to prevent the Data Breach, [it] failed to detect the Data Breach for years, and when they did discover the Data Breach, it took them over a year, possible longer, to report it to the affected individuals and the states’ Attorneys General.”

Article Type: Lawsuit
Topic: Privacy

Most Recent Case Event

Morgan Stanley Unauthorized Exposure of Customer PII Complaint

July 29, 2020

This class action brings suit against Morgan Stanley Smith Barney, LLC, for its alleged failure to safeguard customers’ personal identifiable information (PII). The complaint alleges that the company disclosed, without authorization, customer names, Social Security numbers, passport numbers, and other information, then did not provide timely, adequate or accurate notice about the loss of their PII.

Morgan Stanley Unauthorized Exposure of Customer PII Complaint

Case Event History

Morgan Stanley Unauthorized Exposure of Customer PII Complaint

July 29, 2020

This class action brings suit against Morgan Stanley Smith Barney, LLC, for its alleged failure to safeguard customers’ personal identifiable information (PII). The complaint alleges that the company disclosed, without authorization, customer names, Social Security numbers, passport numbers, and other information, then did not provide timely, adequate or accurate notice about the loss of their PII.

Morgan Stanley Unauthorized Exposure of Customer PII Complaint
Tags: Exposing Private Information, Exposure to cyber crime