NEW YORK - Morgan Stanley (NYSE:MS) has agreed to a $6.5 million settlement with a group of state attorneys general, led by New York's Letitia James, due to the investment firm's negligence in properly decommissioning computers that contained unencrypted customer data. The oversight led to private consumer information being auctioned off and potentially exposed millions of customers, including approximately 1.1 million in New York.
The issue was uncovered when a purchaser of auctioned equipment found the sensitive data. An investigation revealed that Morgan Stanley hired an inexperienced moving company for the decommissioning of hard drives and servers, which resulted in the equipment being sold without erasing the private information. Additionally, during another decommissioning process, the firm discovered that 42 servers possibly containing unencrypted customer data were missing, attributed to a software encryption flaw.
As part of the settlement announced today, Morgan Stanley will implement several measures to strengthen its data security:
- Establish a comprehensive information security program.
- Create an incident response plan.
- Draft a written policy for managing personal information.
- Encrypt all personal data.
- Track hardware locations storing personal information.
- Assess vendor compliance with Morgan Stanley’s data security standards through a vendor risk assessment team.
New York will receive over $1.65 million from the settlement funds. The case was managed by the Bureau of Internet and Technology within the Division for Economic Justice, reflecting Attorney General James' commitment to safeguarding personal information and holding entities accountable for inadequate data protection practices.
In her ongoing efforts to protect consumer data, Attorney General James has previously secured significant settlements from various organizations for failing to prevent data breaches, including Blackbaud (NASDAQ:BLKB), Marymount Manhattan College, a medical management company, SHEIN and Zoetop, Wegmans, and Sports Warehouse.
Morgan Stanley's pledge to enhance its security measures includes establishing a robust incident response plan and a vendor risk assessment team as well as encrypting all personal data.
This article was generated with the support of AI and reviewed by an editor. For more information see our T&C.