IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Morgan Stanley agrees $60 million settlement in data breach lawsuit

The two separate data incidents occurred in 2016 and 2019 and concerned the investment bank's handling of legacy IT equipment

US investment banking giant Morgan Stanley has agreed to pay $60 million (£44 million) to settle a lawsuit following two data incidents that left customer information exposed.

The proposed class-action lawsuit was brought to Morgan Stanley on behalf of around 15 million customers affected by the data incidents. The preliminary settlement was filed on Friday night and requires approval by US District Judge Analisa Torres, Reuters reported.

Morgan Stanley denies wrongdoing as part of the settlement but has made upgrades to its data security posture, settlement papers showed. The settlement will see all affected customers receive at least two years of fraud insurance coverage and they will be able to apply for a sum of up to $10,000 (£7,400) each for out-of-pocket losses.

The data incidents in question refer to two separate cases in 2016 and 2019 respectively and question Morgan Stanley's position on retiring legacy IT systems. Affected customers in 2016 claimed the investment bank failed to properly decommission two wealth management data centres before they were sold on to third parties with customer data still stored on them.

In a similar case, customers said data went missing in 2019 after Morgan Stanley transferred older servers to an outside vendor - servers that were later recovered by the bank, court papers showed.

Related Resource

Bridging the DevSecOps divide: Spotlight on key relationships

The importance of relationships between security and development

Whitepaper title on a white page with a green trapezoid across the coverFree download

"We have previously notified all potentially impacted clients regarding these matters, which occurred several years ago, and are pleased to be resolving this related litigation," said a Morgan Stanley spokesperson to IT Pro.

Morgan Stanley was infamously caught up in the wide-reaching hack on Accellion's File Transfer Appliance (FTA) last year. Personal data belonging to its corporate clients was stolen in January 2021 after its systems were breached via the Accellion FTA server operated by third-party vendor Guidehouse, it said at the time.

Social security numbers, birth dates and affiliated corporate company names were also believed to be among the sensitive data stolen in the attack, the bank confirmed. 

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
IT admin deletes company’s databases and is jailed for seven years
Policy & legislation

IT admin deletes company’s databases and is jailed for seven years

16 May 2022