Morgan Stanley has agreed a $60 million class action settlement relating to legacy technology mishandling that led to two seperate data breaches in 2016 and 2019.
The settlement will see all 15 million affected customers receive at least two years of fraud insurance coverage and up to $10,000 in reimbursement for any out-of-pocket losses.
The class action suits were filed after The Office of the Comptroller of the Currency (OCC) hit Morgan Stanley with a $60 million penalty in October last year for failing to properly decommission two wealth management data centres in 2016.
The OCC says that Morgan Stanley failed to "effectively assess or address risks" associated with decommissioning its hardware at the two US sites.
The bank was also accused of not doing its due diligence in selecting a vendor to carry out the decommissioning work and then failing to monitor the vendor's performance and of failing to maintain appropriate inventory of customer data stored on the decommissioned hardware.
In addition, the OCC says Morgan Stanley had similar vendor management issues in 2019 when it decommissioned other devices storing customer data.
More recently, the personal information of Morgan Stanley stock plan participants was stolen after a third-party vendor suffered a data breach thanks to a vulnerability with file sharing software from vendor Accellion. Crooks filched files containing StockPlan-related documents, including participants' names, addresses, dates of birth, social security numbers and corporate company names.