Attorney General James and Multistate Coalition Secure $6.5 M from Morgan Stanley for Failing to Protect Customer Data

Morgan Stanley to pay New York $1.6 M for compromising the personal info of 1.1 M New Yorkers 

New York Attorney General Letitia James and a coalition of five attorneys general on November 16 reached a $6.5 million agreement with global financial services firm Morgan Stanley Smith Barney LLC (Morgan Stanley) for compromising the personal information of millions of customers nationwide. Morgan Stanley failed to decommission its computers and erase unencrypted data in certain computer devices that were later auctioned while still containing consumers’ personal information, including data belonging to 1.1 million New Yorkers. New York will receive $1,658,047 from the settlement and Morgan Stanley will be required to strengthen its data security measures. 

“No one should have their personal information auctioned off without their knowledge because a company failed to take basic steps to erase it before selling their old computers,” said Attorney General James. “Today’s agreement requires Morgan Stanley to bolster its cybersecurity so consumers will never again have to risk their personal data unintentionally being sold at an auction. Companies, big and small, must all take their responsibility to protect their customers’ data seriously, and if they do not, my office will take action.” 

Morgan Stanley hired a moving company with no experience in data destruction services to decommission thousands of hard drives and servers containing the sensitive information of millions of its customers. Morgan Stanley failed to properly monitor the moving company’s work, and its computer equipment, some of which still contained private consumer information, was then sold at auction. Morgan Stanley was only made aware of the problem when a purchaser discovered the data and called the company. 

In a second incident, Morgan Stanley discovered during a decommissioning process that 42 servers, all potentially containing unencrypted customer information, were missing. During this process, the company learned that the local devices being decommissioned may have contained unencrypted data due to a manufacturer flaw in the encryption software. The multistate investigation found that Morgan Stanley failed to maintain adequate vendor controls and hardware inventories, and that had these controls been in place, both data security events could have been prevented. 

Image courtesy of (

Share this post