Data Breach Lawsuits Piling Up for Morgan Stanley

By Alex Padalka August 31, 2020

Morgan Stanley is facing yet another lawsuit related to data breaches from 2016 and 2019.

Just as the previous lawsuits filed in the last several weeks, Timothy Smith claims that the company failed to protect his personal identifiable information when it closed two data centers in 2016, decommissioning the equipment and hiring a third-party vendor to erase client data, which resulted in some devices still containing unencrypted data, according to a suit filed Thursday before the U.S. District Court for the Southern District of New York

The suit, which is seeking class action status, also accuses the firm of losing disconnected servers in 2019 that also contained unencrypted customer data. 

“Not only can unauthorized third-parties access Defendant’s customers’ PII, the PII can be sold on the dark web. Hackers can access and then offer for sale the unencrypted, unredacted PII to criminals,” Smith claims in his suit. “Plaintiff and Morgan Stanley’s current and former customers face a lifetime risk of identity theft, which is heightened here by the loss of customers’ Social Security number.”

Smith, a North Carolina resident whose account with Morgan Stanley is no longer active, according to the suit, says he found out about the breaches, just as the plaintiffs in the previous suits, when the firm notified him this July about them.

The latest suit is at least the seventh class action brought against Morgan Stanley in connection to the 2016 and 2019 data breaches, all filed in the Southern District of New York.

Former client Midori Nelson and her husband John Nelson filed suit earlier this month against the firm, accusing the company of failing to safeguard their personal information. Martin Behar, who had a brokerage account with the firm from 2013 to 2015, claims in his suit that the breach left him exposed to fraudsters who could steal his personal information to sell it on the dark web or make fraudulent purchases. Several other former and current Morgan Stanley clients, including residents of California, New York, Florida and Illinois, have all filed similar suits.

In response to questions about the previous suits, Morgan Stanley has told FA-IQ as well as its sister publication FundFire that the company was continuously monitoring the situation and hadn’t detected any unauthorized activity resulting from the breaches. 

In 2016, Morgan Stanly paid a fine ordered by the SEC for a data breach caused by one of its former advisors, as reported. 

Do you have a news tip you’d like to share with FA-IQ? Email us at