Morgan Stanley has reached a $60 million class action settlement concerning mishandling of legacy technology, which resulted in two data breaches in 2016 and 2019.
As part of the settlement, all 15 million affected customers will be provided with at least two years of fraud insurance coverage and will be eligible for reimbursement of up to $10,000 for any out-of-pocket losses.
The class action lawsuits were initiated after The Office of the Comptroller of the Currency (OCC) imposed a $60 million fine on Morgan Stanley in October of the previous year for its failure to properly decommission two wealth management data centers in 2016. The OCC stated that Morgan Stanley did not effectively assess or manage the risks related to the decommissioning of its hardware at those sites.
Additionally, the bank faced criticism for inadequately vetting the vendor tasked with the decommissioning project and for failing to monitor the vendor’s performance. They also did not maintain an appropriate inventory of customer data stored on the decommissioned hardware.
The OCC noted similar vendor management issues in 2019 when Morgan Stanley decommissioned other devices that contained customer data.
Furthermore, more recently, the personal information of Morgan Stanley stock plan participants was compromised during a data breach affecting a third-party vendor, linked to a vulnerability in file-sharing software from Accellion. This breach resulted in unauthorized access to files containing sensitive information such as participants’ names, addresses, dates of birth, social security numbers, and corporate company names.