U.S. Markets closed

Data Breach: Morgan Stanley Took ‘Bare Minimum’ Precautions to Protect Customer Information, Says Maag

Fin - Daily Ticker - US

Morgan Stanley Smith Barney is the latest company behind Sony and Epsilon to have its customers' personal data compromised.

The investment firm notified 34,000 of its clients late last month that two CD-ROMs containing sensitive information had gone missing after being sent to the New York State Department of Taxation and Finance for standard tax reporting purposes. The package did reach the department intact; however, it disappeared at some point after delivery.

The missing information includes names, address, account numbers, tax identification numbers, the amount of money clients earned on 2010 investments and in some cases Social Security numbers.

"It would be difficult to get into these investment accounts," says Chris Maag, the reporter at Credit.com who broke the story earlier this week after one of his colleagues received a notification letter from Morgan Stanley that their information is in jeopardy. "But if however you were to get this, you would have the names, home addresses and social security numbers of people you know to be pretty high net income, high net wealth. And that's valuable information. That right there could be sold on the black market for quite a bit of money."

The investment firm told Maag in a phone interview that, to date, "There's no evidence that there was any criminal intent here, or actual misuse of this information."

But until the CD-ROMs are safely located, there is really no way to know this for sure. The uncertainty over the matter is heightened by the fact that the investment firm only password-protected the disks and took no steps to encrypt the files.

"It's kind of like they did the bare minimum, but they did not take the extra step to encrypt [the information]," says Maag, who joined The Daily Ticker's Aaron Task. "They are going to look into changing and enhancing their security procedures from here on out and they are going to look into improving how to send this information to the state."

In letters to its clients whose Social Security numbers have been placed at risk, Morgan Stanley says it will pay for credit-monitoring services. All other clients involved in the data breach were advised to self-monitor accounts for any unusual activity.