Morgan Stanley, a US bank and financial services giant, has agreed to pay $60 million after being subject to a class action suit following two data exposure incidents. The cybersecurity incidents involved roughly 15 million current and former clients. According to the suit, legacy equipment was decommissioned in 2016 and 2019 that contained the personally identifiable information of Morgan Stanley clients, however, the equipment was not wiped clean of this sensitive information prior to the sale. Therefore, unencrypted datasets may have been exposed and available to view by the purchasing party.
Court documents suggest that the retired equipment included old servers and other data center technology. Morgan Stanley was contacted by one of these vendors in 2017, who told the company that they had access to client data. In 2020, the Office of Comptroller of Currency directed Morgan Stanley to provide notice of the potential exposure, however, the company failed to do so. Following the notification, a class-action lawsuit was launched in 2020. Morgan Stanley claims to have notified all previously impacted clients regarding the data breach.
Read More: Morgan Stanley agrees to $60 million settlement in data breach lawsuit