Morgan Stanley Smith Barney has some bad news for 34,000 investment clients. In a notice posted on its website yesterday, the firm warned that their personal information "has been lost, and possibly stolen, in a data breach." Information includes clients' names, addresses, account and tax identification numbers, income earned on the investments in 2010, and in some cases, even social security numbers. Unlike some recent hacker attacks, Morgan Stanley has only itself to blame in this case.
The outfit said all that juicy data was saved on two password protected CD-ROMs, but the CDs were not encrypted. Morgan Stanley mailed the CDs to the New York State Department of Taxation and Finance, and while the package was intact when it reached its destination, by the time it made it to the desk it was intended, the CDs were gone.
"There's no evidence that there was any criminal intent here, or actual misuse of this information," Jim Wiggins, a spokesman for Morgan Stanley, said in a phone interview with Credit.com .
Malicious intent or not, the lack of encryption on media containing personal information of thousands of clients is troubling, and Wiggins said his firm is "going to work with the state to see if we can improve the security of this data transmission." Also concerning is how long it took Morgan Stanley to warn customers their personal information is at risk. The state notified Morgan Stanley about the lost data on June 8, and it took the company two weeks to conduct an "exhaustive search" of all facilities the CDs passed through, Credit.com reports. Morgan Stanley mailed letters to clients on June 24.
One of the letters suggested clients check their financial statements for suspicious activity. In a second letter mailed only to clients whose Social Security or tax identification numbers were lost, the company said it would foot the bill for clients to enroll in a year's worth of credit monitoring services by Experian.