Morgan Stanley Faces Another Lawsuit Over Alleged Data Breaches

By Alex Padalka August 4, 2020

Morgan Stanley is facing another lawsuit connected to alleged data breaches in 2016 and 2019.

Richard Grossman and Howard Katz have filed suit in a Manhattan federal court alleging that Morgan Stanley failed to properly safeguard their personal information, including Social Security and passport numbers, account numbers, asset value and more. 

The plaintiffs also claim the wirehouse failed to alert them in an accurate and timely manner about the loss of their personal information, according to the suit, which was filed on July 31 before the U.S. District Court Southern District of New York. The suit seeks class action status but does not quantify the number of potential class members or the amount of damages.

Grossman, who lives in Coral Gables, Fla., is the beneficiary of a Morgan Stanley individual retirement account, according to the suit. The account, which remains active, inherited its proceeds from Esther Grossman, who died in September 2003, the suit adds.

Katz, who lives in Philadelphia, opened a Morgan Stanley trading account via telephone in or about the end of 2012, the suit states. This account is no longer active, the suit adds.

On July 15, Grossman received Morgan Stanley’s notice of data breach, dated July 9, according to the suit. The notice specifically stated that his information associated with his account was likely subject to the data breach, the suit adds. On or about the week of July 20, Katz received the same notice from the wirehouse, the suit notes.

(iStock Photos)
The suit is related to notifications Morgan Stanley began making to various state attorneys general and clients last month about several data breaches that had occurred as early as 2016. 

That year, Morgan Stanley closed two data centers, decommissioned the computer equipment there and hired a third-party firm to remove customer data from the equipment, the suit claims. But the firm later learned that the data wasn’t completely erased and that some of the devices still contained unencrypted data — and those devices are now missing, the plaintiffs allege. 

In addition, computer servers that Morgan Stanley disconnected in 2019 at various branches allegedly also contained unencrypted customer data, and those servers are missing as well, according to the suit.

The plaintiffs allege negligence, invasion of privacy, unjust enrichment and more, and are seeking punitive damages, lawyers’ fees and costs and any other relief deemed appropriate by the court.

This is at least the second suit against Morgan Stanley arising from the data breaches in 2016 and 2019.

On July 29, several residents of California, New York, Florida and Illinois — including one existing and three former Morgan Stanley clients — filed suit, also in the U.S. District Court for the Southern District of New York, alleging that the wirehouse failed to protect their personal data. That suit also accused the firm of failing to promptly alert them to the potential compromise of their Social Security and passport numbers, among other personal information. 

A spokesperson previously did not comment on the first suit, but told FA-IQ that Morgan Stanley has not identified personal information abuses related to incidents at the data centers.

When previously asked how many wirehouse clients have been notified about the potentially-compromised data, the spokesperson didn't provide a number. The SEC fined Morgan Stanley $1 million in 2016 for failing to have federally mandated policies and procedures guarding customer information, as reported.

Do you have a news tip you’d like to share with FA-IQ? Email us at