Banking giant Morgan Stanley has agreed to pay $60 million to customers who took legal action claiming substandard security practices put their personal data at risk following two separate security breaches.
A preliminary settlement was recently filed in Manhattan federal court. According to Reuters, the settlement now requires the approval of Analisa Torres, a US District Judge.
Should the settlement be approved, 15 million affected Morgan Stanley customers will:
- Get at least two years of free identity theft protection
- Be able to apply for reimbursement of up to $10,000 for any out of pocket expenses they have incurred owing to these breaches or the subsequent action
Despite agreeing to the settlement, Morgan Stanley continues to deny any wrongdoing but admits it has made what it calls “substantial” upgrades to data security practices since the two incidents occurred.
Old data centres at the heart of the breach
The lawsuit, which was brought by both former and current Morgan Stanley customers, said the bank didn’t properly wipe decommissioned equipment from two data centres in 2016 before reselling them to third parties. Legal papers also said that several older servers, also containing customer data, went missing in 2019 after Morgan Stanley transferred them to an external vendor. However, according to court papers, Morgan Stanley was able to recover the servers in the latter case.
The bank had already agreed to pay a $60 million civil fine in October 2020 to resolve accusations about these incidents raised by the US Office of the Comptroller of the Currency.