Morgan Stanley has agreed to pay a $60 million settlement over two data breaches resulting from data center decommissioning incidents.
Having already paid a large fine to the regulators in 2020, the US bank has now settled a class-action lawsuit relating to lost wealth management-related customer data during the decommissioning of two data centers in 2016.
The bank this week agreed to pay a $60 million settlement to affected customers. A preliminary settlement of the proposed class action on behalf of about 15 million customers was filed on Friday night in Manhattan federal court and requires approval by US District Judge Analisa Torres.
Affected customers can receive at least two years of fraud insurance coverage, as well as apply for reimbursement of up to $10,000 in out-of-pocket losses. Morgan Stanley denied wrongdoing in the settlement, but notes it has has made "substantial" upgrades to its data security practices.
“We have previously notified all potentially impacted clients regarding these matters, which occurred several years ago, and are pleased to be resolving this related litigation,” the bank said in a statement Monday.
ITAD goes awry for Morgan Stanley
The settlement marks the final resolution of an incident nearly five years in the making. In July 2020 Morgan Stanley sent out a notice to customers, warning of two potential incidents relating to personal information.
The company said that during the decommissioning of two data centers in 2016, a vendor may have not wiped all information – including customer data – from hard drives. It also said in 2019 it may have lost a server from a branch office during a hardware refresh and that some of the deleted information may still be on the disk and unencrypted.
The US Office of the Comptroller of the Currency (OCC) fined Morgan Stanley $60 million in 2020 for failing to properly decommission two wealth management data centers in 2016. According to the OCC, the bank “failed to exercise proper oversight” of the decommissioning of the two US-based facilities.
As a result of the breach, the company faced eight lawsuits, which were consolidated into one class-action case. The company was accused of “ignoring industry standards” around proper IT Asset Disposal (ITAD).
In filings, the bank was accused of dismissing IBM in favor of an “unknown and unqualified vendor” to decommission its computer equipment as part of “profit-driven decisions” in order to save $100,000. The bank then contracted a firm called Triple Crown to remove, wipe, and recycle the devices.
Instead of proper disposal, Triple Crown reportedly sold the devices to another ITAD firm, AnythingIT, and reported to Morgan Stanley that the devices had been destroyed. AnythingIT then also failed to wipe the devices, and sold them to another ITAD company, known as KruseCom, which either destroyed or sold on the devices.
Though it acknowledged some lost hardware was never recovered, the bank has maintained throughout that no harm has come to customers as a result of the data loss.
In the 2019 incident, the bank removed and replaced around 500 Wide Area Application Services from branch offices, and was unable to account for all of the devices during a subsequent inventory. The manufacturer reportedly told the bank a ‘software flaw’ meant some deleted information could remain on the disk unencrypted.