Wall Street bank Morgan Stanley has agreed to pay $60 million to settle a lawsuit filed by customers who say the company's poor security measures put their personal data at risk.
On December 31, 2021, a preliminary settlement in a class action lawsuit filed on behalf of approximately 15 million clients was filed in Federal Court in Manhattan, which requires approval from U.S. District Judge Analisa Torres. Customers will receive fraud compensation for at least two years, in which each person can claim reimbursement for up to $10,000 in cash losses. According to the settlement documents, Morgan Stanley denied agreeing to the settlement for misconduct and made a "substantial" upgrade to its data security practices. Customers accuse Morgan Stanley of failing to phase out two wealth management data centers in 2016, after which unencrypted devices( which still contain customer data, were resold to unauthorized third parties. They also said the servers went missing after Morgan Stanley transferred some of its old servers containing customer data to an external vendor in 2019. In addition, court documents show that Morgan Stanley later recovered the server. The data exposed in the 2016 and 2019 incidents included customer names, addresses, account information, social security numbers, dates of birth, credit card numbers, and other PII
Morgan Stanley did not respond immediately to requests for comment outside of business hours. In October 2020, Morgan Stanley agreed to pay a $60 million civil fine to address allegations by the U.S. Teclogy Office (OCC) of the incident, including its information security actions being unsafe or unsound. The case is currently pending litigation in the District Court for the Southern District of New York over Morgan Stanley's data security issues.
In court filings filed in 2020, the OCC noted that Morgan Stanley failed to provide proper oversight to third-party vendors deactivating IT equipment and failed to perform proper due diligence, posing a risk of data exposure for its clients. Morgan Stanley could pay more than $120 million in fines. John Michener, chief scientist at cybersecurity firm Casaba Security, said it had paid the price because the bank failed to comply with sound regulatory procedures: a potential fine of more than $100 million. Alex Hamerstone, director of consulting solutions at TrustedSec, said that if financial institutions choose not to follow "basic information security practices," the outcome of the lawsuit will come to the attention of financial institutions, and eventually, they will be held accountable.
"Litigation is also a good reminder for businesses to audit their own processes, whether using internal or external audit resources, to ensure that 'basic information security practices' are followed." Hamerstone said.
Chris Pierson, a former special government employee of the Department of Homeland Security's Cybersecurity Subcommittee and Privacy Committee and current CEO of BlackCloak, also advises financial institutions to audit their internal practices annually and take the following steps:
1. Encrypt data at rest to avoid these exposure risks;
2. Pay attention to physical assets, and do not strictly store data in the cloud;
3. Ensure the process and avoid potential data breaches.
Casaba Security's Michel said it's standard practice for businesses to retire devices and hardware containing sensitive information by shredding or destroying them. It's no longer enough to wipe hard drives and servers, and businesses need to update their practices and policies to deal with new attacks.
Hi, I'm Super Tech
Super Technology is an information security expert, capable of unlimited defense against DDos attacks and CC attacks, Alibaba Cloud strategic partner!