Attorney general secures $6.5 million from Morgan Stanley for data security lapse

November 21, 2023 Robert Abruzzese, Courthouse Editor

Attorney General Letitia James, along with a coalition of five other state attorneys general.
Photo: Rob Abruzzese/Brooklyn Eagle

Share this:

Attorney General Letitia James, along with a coalition of five other state attorneys general, secured a $6.5 million settlement from Morgan Stanley Smith Barney LLC (Morgan Stanley) for compromising the personal information of millions of customers, including 1.1 million New Yorkers.

The breach occurred when Morgan Stanley, a global financial services firm, failed to properly decommission and erase unencrypted data from its computers before auctioning them off. This oversight led to the personal data of millions being potentially exposed.

As part of the settlement, New York will receive $1.6 million, and Morgan Stanley will be required to implement stronger data security measures.

“No one should have their personal information auctioned off without their knowledge because a company failed to take basic steps to erase it before selling their old computers,” said Attorney General James. “Today’s agreement requires Morgan Stanley to bolster its cybersecurity so consumers will never again have to risk their personal data unintentionally being sold at an auction.”

The situation first came to light when a buyer of the auctioned equipment discovered the data and informed Morgan Stanley. In a separate incident, the company found that 42 servers, potentially containing unencrypted customer information, were missing during a decommissioning process.

These lapses highlighted significant shortcomings in Morgan Stanley’s vendor controls and hardware inventory management.

Under the terms of the settlement, Morgan Stanley will not only pay the fine but also adhere to a series of provisions designed to safeguard customer information.

These include maintaining a comprehensive information security program, employing encryption for stored and transmitted personal data and establishing a vendor risk assessment team to ensure compliance with data security requirements.