Morgan Stanley Attracts Second Data Breach Lawsuit
Another law firm has asked a court to allow current and former customers of Morgan Stanley Smith Barney to sue the wirehouse for failing to ensure that their social security numbers, account numbers and other “personal identifiable information” was scrubbed from hardware that was decommissioned.
Morgan Stanley on July 9 began notifying customers that an outside contractor failed to completely scrub hardware from two data centers that were closed in 2016, and discovered in 2019 that old servers in some branches that cannot be located may have unencrypted customer data, according to letters and emails the firm has sent customers and brokers.
Neither complaint claims breaches of computer systems but both allege unauthorized disclosures of the data to unknown third parties.
Morgan Stanley informed brokers, customers and some state attorneys general that it has not detected unauthorized use of the data, but has offered two years of free credit monitoring services from Experian.
“Morgan Stanley’s current and former customers face a lifetime risk of identify theft, which is heightened here by the loss of customers’ Social Security number [sic],” lawyers representing named plaintiffs Richard Grossman of Coral Gables, Florida, and Howard Katz of Philadelphia, wrote in the complaint filed on Friday. “In addition to Morgan Stanley’s failure to prevent the Data Breach, Defendant failed to detect the Data Breach for years, and when they did discover the Data Breach, it took them over a year, possibly longer, to report it to the affected individuals and the states’ Attorney General.”
John Schnagl, a Morgan Stanley customer in the state of Washington, said he was “livid” when he received notification of the potential breach from his advisor and then by mail, primarily because of the delay between the firm’s discovery of the events and the notices.
“I would say that the investigation they made into whether they should be held responsible is worse than a data breach,” said Schnagl, who has not been in contact with lawyers. “I trust my financial advisor, but Morgan Stanley as an entity shows a lack of moral integrity and I am looking into switching my account to somewhere else.”
A Morgan Stanley spokeswoman declined to comment on the lawsuits, other than to repeat previous statements to the press and clients that no harm has been discovered to date.
“We have continuously monitored the situation and have not detected any unauthorized activity related to the matter, nor access to or misuse of personal client data,” she said.
Lawyers at Nussbaum Law Group in New York who filed Friday’s suit along with lawyers at Criden & Love in Miami did not respond to requests for comment or said they do not as a matter of policy comment on ongoing litigation. Lawyers at Morgan & Morgan in New York who filed the earlier suit did not return requests for comment.
Under standard class-action courtroom procedures, the two suits and others that may follow are likely to be consolidated, said several attorneys.
Neither suit estimated the size of the potential customer classes, but said that Morgan Stanley has identified “thousands of customers whose PII may have been improperly accessed.”