A pair of lawsuits allege Morgan Stanley compromised sensitive client information — including Social Security, passport and account numbers — by failing to fully wipe decommissioned computer equipment that has since gone missing.
The first lawsuit, filed Wednesday in federal court in New York, represents five current and former Morgan Stanley clients who were notified earlier in July about data breaches that occurred as early as 2016. The second lawsuit, filed two days later in the same court, represents two more individuals who also received the notification.
The lawsuits are seeking class action status on behalf of affected clients.
After closing two data centers in 2016, Morgan Stanley hired a vendor to remove customer data from the equipment, according to the notification sent to plaintiffs. Morgan Stanley subsequently learned that some devices still contained unencrypted data after they left the firm’s possession.
In letters signed by chief information security officer Gerard Brady and sent to various state attorneys general, Morgan Stanley said branch office servers the firm disconnected in 2019 had a software flaw that left “previously deleted data” on the hard drives, unencrypted. “During a recent inventory, we were unable to locate a small number of those devices,” the notification states.
The notification, a copy of which was included in the lawsuits, adds that Morgan Stanley has investigated the matter and is working with outside experts to understand potential risks to clients.
“The missing equipment and servers contain everything unauthorized third-parties need to illegally use Morgan Stanley’s current and former customers’ [personal identifiable information] to steal their identities and to make fraudulent purchases,” the lawsuits state.
A Morgan Stanley spokesperson said the firm has “continuously monitored the situation and [has] not detected any unauthorized activity related to the matter, nor access to or misuse of personal client data.”
The spokesperson declined to comment on the lawsuits.
The current and former clients say that in addition to being reckless and negligent in protecting the data, Morgan Stanley took too long to detect that data had been compromised and alert affected customers. The lawsuits do not specify a damage amount.
Attorneys representing the plaintiffs did not respond to a request for comment.