One of the traumatic effects of data security breaches on an organization is the lawsuit that comes with it after the damage. Not only that but there’s this trauma of losing the trust of their clients. This was the case with the Morgan Stanley data security breach. Let’s talk about the data security breach at Morgan Stanley and the settlement afterward.
Morgan Stanley
Morgan Stanley is a global financial service formed by Harold Stanley and Henry S. Morgan on September 16, 1935. The firm offers investment banking products and services to enterprises, governments, financial institutions, and people as clients and customers. The firm operates in the following business sectors: Institutional securities, wealth management, and investment management. On behalf of institutional investors, the Institutional securities division provides financial consulting, capital-raising, and related finance services.
Wealth Management provides brokerage and investment advisory services for equities, options, futures, foreign currencies, precious metals, fixed-income securities, mutual funds, structured products, alternative investments, unit investment trusts, managed futures, separately managed accounts, and mutual fund asset allocation programs. Finally, the Investment Management division offers strategies for stock, fixed income, alternative investments, real estate, and merchant banking.
Morgan Stanley Data Breach
Social engineering assaults have resulted in the breach of customer accounts at Morgan Stanley Wealth Management, the company’s wealth and asset management business.
Accounts were compromised due to voice phishing, a sort of social engineering in which fraudsters pose as a legitimate entity over the phone in order to trick their targets into divulging personal information over the phone.
Customers received emails informing them that a cybercriminal posing as the financial services provider had compromised their online account information.
After gaining access to their accounts, the hacker then moved funds electronically to their own bank account via the Zelle payment service.
The mail reads…
“As you are aware, on or around February 11, 2022, you were contacted by a bad actor claiming to be with Morgan Stanley.”
“The bad actor was able to obtain information relating to your Morgan Stanley Online account, subsequently accessing this account and initiating unauthorized Zelle payments.”
However, the company has come out to assure BleepingComputer that “there was no data breach or information leak from them
The Assurance
According to Morgan Stanley, they have locked all affected customers’ accounts, and their systems “remain secure.”
“This compromise was not the result of any action by Morgan Stanley Wealth Management and our systems remain secure,” said the business.
Furthermore, Morgan Stanley warns clients against responding to calls from unknown numbers in order to protect themselves from phishing and other social engineering frauds.
Here is what they advised:
- Be careful about giving up too much personal information over the phone.
- Verify that the person requesting this data is who they say they are and that they are representing a legitimate business.
“You can always hang up and call the organization back using a phone number found through a trusted source, such as the company’s official website or perhaps a financial statement.”
Morgan Stanley Data Security Settlement
The $60,000,000 settlement of the class action lawsuit against Morgan Stanley. This case involves allegations against Morgan Stanley, a financial services and investment banking firm headquartered in the United States. About 15 million Morgan Stanley customers’ names, addresses, and Social Security numbers were exposed to two distinct data security issues.
According to the complaint, Morgan Stanley mishandled the disposal of IT (information technology) equipment in 2016 and 2019. Many of these IT tools disappeared after being sold to unnamed third parties.
As a result of this incident, unauthorized persons may have gotten access to personal information about Morgan Stanley clients. Client information from Morgan Stanley may have been stored on the contested IT equipment.
• Social Security Numbers,
• Maiden Names,
• Past and Current Work and Home Addresses,
• Driver’s License Numbers,
• Personal Income,
• Asset Holding Information,
• Passports,
• Telephone and Cell Numbers,
• Family Members’ Information,
• Dates of Birth.
All of this data is PII and poses a significant risk of identity theft, which in turn can cause incalculable harm.
The Good News?
If you are a Morgan Stanley client who received a data breach notification letter in July 2020 and/or June 2021 informing you that your Personal Information may have been compromised in Data Security Incidents, you may be entitled to benefits under this class action Settlement.
If you have not received a unique code but believe you are a Settlement Class Member, there’s the number to call to verify your identity and obtain additional information:1-855-604-1744
Morgan Stanley has agreed to establish a $60 million class action settlement fund to fully resolve and release the claims of the Settlement Class Members related to the Data Security Incidents.
What to get…
Members who meet the requirements are eligible to earn a portion of the $60 million fund for each of the following:
- Settlement Class Members who spent time investigating or resolving issues related to the Data Security Incidents are eligible to submit a claim to receive reimbursement for up to four hours at a rate of $25 per hour for a total of up to $100 with an attestation that their actions were taken in response to the Data Security Incidents. The claim must include an attestation that the actions were taken in response to the Data Security Incidents. Claims for lost time up to four hours will not require any additional documentation beyond what is already required.
- Settlement Class Members may be eligible to receive a reimbursement of up to $10,000 (in total per Settlement Class Member) for out-of-pocket expenses, as well as a reimbursement of up to an additional five hours of time if Settlement Class Members are able to document time lost remedying issues related to the Data Security Incidents (at a rate of $25 per hour or, if you lost work, at a rate of documented compensation up to $50 per hour). In order to demonstrate that the Data Security Incidents were the root cause of the expenditures that were incurred and to be eligible for reimbursement for out-of-pocket expenses, you are required to present reasonable proof together with your Claim Form.
Morgan Stanley Data Security Settlement: Conclusion
The settlement marks the final closure of an incident that has lasted nearly five years. Morgan Stanley issued a notification to customers in July 2020, alerting them to two potential incidents involving personal information.
According to the firm, a vendor may not have erased all information – including client data – from hard drives during the decommissioning of two data centers in 2016. It also stated in 2019 that a server from a branch office may have been lost during a hardware refresh, and that part of the wiped data may still be on the disk and unencrypted.
Morgan Stanley was fined $60 million by the US Office of the Comptroller of the Currency (OCC) in 2020 for failing to properly decommission two wealth management data centers in 2016. The bank “failed to exercise proper oversight” of the decommissioning of the two US-based sites, according to the OCC.
As a result of the breach, the corporation was hit with eight lawsuits, which were later consolidated into a single class-action complaint. The corporation was accused of “ignoring industry standards” when it came to proper IT Asset Disposal (ITAD).
Read also: Cybersecurity Awareness Month: All You Need to Know
According to court documents, the bank fired IBM in favor of an “unknown and unqualified vendor” to decommission its computer equipment as part of “profit-driven decisions” to save $100,000. After that, the bank hired Triple Crown to remove, wipe, and discard the devices.
Instead of properly disposing of the devices, Triple Crown allegedly sold them to another ITAD firm, AnythingIT, and represented to Morgan Stanley that they had been destroyed. AnythingIT then neglected to clean the devices before selling them to KruseCom, another ITAD business that either destroyed or sold the devices.
Despite the fact that some lost hardware was never recovered, the bank has stated that no clients were harmed as a result of the data loss.
The bank removed and replaced around 500 Wide Area Application Services from branch offices in the 2019 incident, and was unable to account for all of the devices during a subsequent inventory. According to the manufacturer, a ‘software error’ meant that some deleted data could remain unencrypted on the disk.
What is Morgan Stanley known for?
Morgan Stanley is a global leader in investment banking, and corporations, organizations, and governments rely on it. They advise clients on mergers, acquisitions, restructurings, initial public offerings (IPOs), convertibles, share repurchases, debt issues, derivatives, and other transactions.
How many people were impacted by the Morgan Stanley data breach?
Morgan Stanley was accused by federal regulators of “astonishing” mistakes that resulted in the mishandling of sensitive data on approximately 15 million customers.
How much money do you need to be a client of Morgan Stanley?
You can choose from the entire portfolio of managed account programs, which are tailored for varying levels of financial experience and sophistication and have asset minimums as low as $5,000.
What really occurred in the Morgan Stanley data breach?
Customers’ Social Security numbers and birth dates were not completely erased from the decommissioned data center equipment, and the equipment went lost. They stated that a software error left data on the old systems unguarded.
Is the Apple Watch Series 3 Waterproof: What You Need
SAMSUNG CYBERSECURITY BREACH: What Really Happened?
Applicantstack: Overview, Features, Reviews & More
Why Is Cybersecurity Important?: All You Should Know