EXCLUSIVE: Morgan Stanley Tells Customers of Potential Data Compromise

Morgan Stanley is offering some current and former wealth management customers a two-year free subscription to a credit report monitoring service to compensate for the potential compromise of personal data that was being stored on decommissioned hardware.
In a memo sent Thursday afternoon to the firm’s 15,400 brokers, field management head Vince Lumia said the issue stems from two data centers closed in 2016. Some servers and other hardware sold to recyclers after a vendor was hired to scrub the devices had some client data extant, he explained.
“[W]e concluded that it would be very difficult for anyone to access or misuse the data, given what we believe subsequently happened to those devices and the fact that many of the devices had design features that made it unlikely that data was accessed or misused,” Lumia wrote. “We have continuously monitored the situation—looking not only for data associated with our current clients, but any information indicating a breach of Morgan Stanley client data—and have not detected any unauthorized activity related to the incident.”
Morgan Stanley on Friday began contacting customers whose data may have remained on the devices as of Jan 31, 2016, offering the two-year subscription to their Experian credit reports “out of an abundance of caution,” said a person familiar with the events.
Such free credit-tracking offers often follow data breaches and are sometimes mandated by regulators, though the person emphasized that the hardware recycling incident has not involved hacking or compromised data and has not held up Morgan Stanley’s pending $13 billion acquisition of E*Trade Financial Corp.
Morgan Stanley is considering appropriate legal action against the firm hired to scrub the data, the person said, declining to name the vendor.
“The Capitol Forum,” which publishes legal analysis newsletters, disclosed the hardware scrubbing mistake in March, reporting that it could have prompted a delay in the E*Trade deal.
A Morgan Stanley spokeswoman declined to comment on how many current and former customers are receiving notifications.
Lumia’s email to his wealth management staffers came only hours before another embarrassing incident.
June commissions that were directly deposited into advisors’ Morgan Stanley Bank accounts on Friday were almost instantly withdrawn because of an issue involving pay vendor Automatic Data Processing, according to several advisors and other insiders.
Some advisors complained of negative balances because of pre-scheduled mortgage and other payments due on the tenth of the month that they had expected to be covered.
ADP informed Morgan Stanley Friday afternoon that it had resolved the technical issue and expected to transmit the deposits in the evening for availability by Saturday morning, said a person familiar with the issue.
I am the whistleblower on JPMorgan employee Bryan Gasche entering RBC client accounts for years after Gasche left RBC. Gasche remained working with RBC advisor Scott Sangerman. Encrypted Documents on an encrypted sent from MN to the DMV withheld with intent by FINRA & RBC were provided only after FINRA DRS was forced settled confirming JP Morgan employee Bryan Gasche used ADP to scrub then rework papers going back to before Client became an RBC client. Client was never a JPMorgan client confirmed by Jamie Dimon JPMorgan CEO. FINRA & SEC were advised along with State Commission that referred complaint to Finra that initiated the coverup. I am the whistleblower 2010. SEC & Finra took action to protect the Securities Broker Dealer Firm only. I am the whistleblower. SEC refuses to pay the award
“the fact that many of the devices had design features that made it unlikely that data was accessed or misused”
I’ve got my super duper corporate legal decoder glasses….
“The hard drives we sold, which were subsequently resold, were part of a RAID array, where data is spread across multiple drives. The data was not encrypted, but someone could only recover data using freely available open source software and if they were a computer nerd. Which we deem unlikely”
At least they stepped up and are admitting to something. I suspect many corporations would not.
Wow! They deserve a Gold Star! I got the letter, with a list of things I need to do to protect my information. There is not even a hint of an apology. Experience directed me to Morgan Stanley customer service, the lady who answered the phone, asked me to send a letter to their general mailbox, it would take them 4-6 weeks to respond. Of course, she would not give me her last name.
i GOT 2 LETTERS TODAY FOR DIFFERENT ACCOUNTS. THE CONFUSING THING IS THAT I HAVE NEVER HAD A MORGAN STANLEY ACCOUNT?????? I TRIED CALLING AND WAS TOLD THAT THEY HAVE NO IDEA HOW TO TRACE MY ACCOUNTS AND THEN REFERRED ME TO JUST SIGNING UP FOR EXPERIAN PROTECTION
I received a letter today with ex’s name and mine (JTWROS). I have been divorced from him since 2004. Strange that it would be sent to my address with my name included since we have not lived together for over 171/2 years. Too bad there is no telephone number to reach Morgan Stanley to inquire about this account with my name on it.
I received a letter also , we are separated and working on a divorce , this account in ref, was 22 years ago, and he saids never was.. but I had him call and it was an account for 4 years, IRA rollover, and it is being investigated, . Many men lie about their money. We were married 50 yr. , Sorry that yours happened after the fact. The three page letter did have telephone numbers and the first guy hung up on him! , but a local office is checking it out. ? Very strange. Stay well.
If you previously had an account at Dean Witter or Smith Barney, Morgan Stanley may have acquired your account and personal information through an acquisition of these firms.
I received a letter but tossed it – how can I sign up for the free experian monitoring?
Do we know which two data center locations were closed and computer equipment decommissioned by Morgan Stanley? I also received a letter dated July 11, 2020 in regards to a former account.
I received my notice for accounts that were closed 3 years prior to the closing of the data centers. My question is why did Morgan Stanley still have my confidential data on it’s servers?
Years before Morgan Stanley closed their data centers, I had already closed my accounts with them. So, why do they have my information saved, and this letter that came from Morgan Stanley notifying me of a possible breach was addressed to my former last name which was changed in 2008. Why do they still have my VERY OLD personal information, since I have no accounts there????
I received my letter dated July 12. I’m questioning the free 2 year credit monitoring and restoration, feels like a “come on”, anybody else?
I am suspicious also. Is someone fishing?? Experian wants my SS# to enroll me in their Identity Works
program. No body can tell me what account they are talking about. I may have had a Smith Barney account more than 10 years ago. No divorce or separation here.
I think everyone should send this info to their State Attorney General and to New York Attorney General.
Karl in Minnesota
I’m hesitant also. Ultimately did you supply your SS# and subscribe? Any advice to share?
I spoke with called the number for Exoerian in the letter and spoke to an individual and feel pretty confident that it is not a hack attempt. I also searched web and there are several articles about the possible security breach and the Experian offer from Morgan.
I received the letter today, dated July 11. Definitely I will use the free 2 years credit monitoring from Experian. I cannot believe this things are still happening. They sold the hard drive without cleaning them properly, unbelievable, why they need to sell hard drives in first place?
I was only a customer for approximately a year, and closed my accounts with them in January of 2000! Why they would still have my info after that many years is concerning enough, but the letter they sent to me also has the names of my 3 children on it, as they were beneficiaries, and Morgan Stanley was given all of THEIR very personal info as well. I’m Pi**ED!
BE CAREFUL! I was checking Experian.com website for more information about this Experian IdentityWorks they are offering 2 years, and I’m unable to find any information about this program in Experian.com, Experian website has something similar CreditWorks programs. Please do your research before entering your personal data in another website.
FALSE ALARM! IdentityWorks is Experian’s service.
I found the Experian IdentityWorks directly in Experian.com
In the top menu, under Identity Theft Protection -> View Plans & Pricing.
I can find zero connection between Experian and ExperianIDWorks.com, not under any dropdown or heading on Experian’s actual website. IDWorks has abysmal reviews on BBB, and although the Morgan Stanley’s breach is legitimate, this letter itself smacks of fishing. I do use Credit Karma, which Experian is not affiliated with, but I have no doubt they have my personal details many times over (the actual Experian, not this IDWorks). I’ve never knowingly had an account with Morgan Stanley, but I also have no doubt they have my information. I guard it fiercely, but no doubt the fishing village off Mozambique has my details as well.
This would be easier to debunk if the actual Experian would pick up the phone to confirm/deny affiliation. Instead they circularly route you through Oblivion. Since I am able to confirm nothing by phone or the web, I’ll shred the letter and keep doing what I have been.
I received a letter, went to the Experian website and they require personal information to create an account. I don’t feel comfortable providing my ENTIRE social security number online to ANYONE. I have fraud alerts set up one my banking accounts, and that will have to do.
Thanks, that was my concern. I have been hesitating to contact Experian. You have convinced me not to bother. As it is I have no recolection of having an accout with M.S.
Morgan Stanley acquired Smith Barney during the financial crisis of 2008 and that’s how I think they had information on my accounts which I closed about 2005
I received same ltr, have had no connection to Morgan Stanley and cannot find out who my “former account” was.
I too am worried about following through by entering my person info. Has anyone on this string set them selves of for this service they are providing?
I received the letter also, instructing me to enter all my personal information on a website, which sounds like a scam. The letter is poorly printed on poor quality paper, which also looks like a scam. The customer service people were polite but otherwise not helpful to resolve my concerns. I’d like the experian protection if it’s legit, but this is ridiculous.
I think the experian site is legitimate. When I signed up on line Norton Security said the site was secure hm. I also spoke with an experian agent
Experian had a big data breach themselves. Wikipedia says: On 1 October 2015 Experian announced that they had discovered a data breach existing between 1 September 2013 and 16 September 2015. As many as 15 million people who used the company’s services, among them customers of American cellular company T-Mobile who had applied for Experian credit checks, may have had their private information exposed.[32][33] I am very antsy about giving them my personal information, and don’t think I can bring myself to do it.
If you have a credit card, if you have a mortgage, if you have a cell phone, if you have utilities like water or electricity in your name and probably if you have a job Experian already has your information. And they have a lot more info than what you will need to supply in order to register for the monitoring service. They are asking for your information in order to verify that you are who you claim to be.
Please, report this. Karl
It would help the credibility of the July 11, 2020 letter I received if there was a report of this potential data leakage on the https://www.morganstanley.com website. 10 minutes of searching and absolutely nothing on the topic! I would think the adverse potential effects would almost require disclosure to investors/regulators! While I am generally not in favour of more government laws, one is needed here to require *every* company post on its website all its data breaches – whether verified or potential. How does the average consumer have a chance otherwise?!
cannot seem to navigate around your many areas without getting to the point where I can submit my Redemption code. How to I activate the services which are promised?
I have tried many times find a reference to redemption codes and to date have not found anything but a box to insert an ACTIVATION code. I did click on the website as requested by MS but all that did was asking me to complete a long form asking for many things including social security number. No way will I provide that information even though they probably have it. There are other credit monitoring and fraud detection.firms.
Mr. Hamlet, call the number in the letter and they will walk you through the process. I signed up a few months ago and am receiving monthly updates from Experian on my account.
I tried to enter my redemption code Saturday the 31st of October and couldn’t do it. Saturday was supposed to be the last day
I tried to enter redemption code as well on the 31st and it did not work