Morgan Stanley, Capital One’s old mistakes are causing new headaches


It looks like the ghosts of Christmas past have returned to haunt two major U.S. banks in successive weeks, as Morgan Stanley and Capital One have agreed to settle class actions over incidents that have already cost each bank millions of dollars in regulatory sanctions.

Morgan Stanley agreed to pay $ 60 million to resolve allegations that the personal information of 15 million current and former customers was compromised when data stored on decommissioned equipment was not completely erased and then disappeared, according to court documents filed Friday.

The bank has denied any wrongdoing in the settlement, accepted in principle in November. “We have previously informed all potentially affected clients of these issues, which arose several years ago, and we are delighted to resolve this related litigation,” Morgan Stanley said in a statement Monday, according to Bloomberg.

Customers would benefit from at least two years of insurance coverage against fraud, and each can claim reimbursement of up to $ 10,000 for direct losses under the agreement, which still requires the approval of the judge. Analisa Torres of the U.S. District Court for the Southern District of New York, Reuters reported.

The settlement amount matches the $ 60 million fine Morgan Stanley incurred under an order from the Office of the Comptroller of the Currency (OCC) in October 2020 following the incident. The regulator claimed the bank failed to properly oversee the decommissioning of two data centers connected to its wealth management business in 2016.

Morgan Stanley hired a third-party vendor to wipe data from servers and other hardware, but some customer information – including Social Security numbers and dates of birth – remained on the equipment after it was sold to a recycler, wrote a bank manager in a July 2020 note. The recycler alerted Morgan Stanley to the problem more than a year earlier.

Morgan Stanley has made “substantial” upgrades to its data security practices, it said in settlement documents. However, the bank also suffered a data breach in 2021, after one of its vendors discovered data had been compromised, according to a July breach notification disclosure letter.

A capital letter

Capital One, meanwhile, has agreed to pay $ 190 million to settle a 2019 data breach class action lawsuit that exposed the personal information of 106 million customers in the United States and Canada, documents show. filed Dec. 23 in United States District Court. for the Eastern District of Virginia.

The bank said it was fully booked for the settlement amount, which covers 98 million US users. Representatives for customers, the bank and its cloud provider, Amazon Web Services (AWS), have asked the judge handling the case to stay the proceedings while the court assesses the settlement.

“While Capital One and AWS deny responsibility, in order to avoid the time, expense and uncertainty of pursuing the litigation, the plaintiffs and Capital One signed a term sheet containing the essential terms of a settlement. collective which, if approved by this court, will fully resolve all claims filed by plaintiffs, ”the banking and tech giant said in the case, according to Bloomberg.

The OCC ordered Capital One to pay $ 80 million for “the bank’s failure to establish effective risk assessment processes before migrating important IT operations to the public cloud environment.”

Paige Thompson, a former AWS employee, has been charged with computer fraud and abuse after allegedly accessing data through an improperly configured firewall.

About 140,000 social security numbers and 80,000 account numbers linked to credit card customers were compromised in the breach, the bank estimated. The data, related to credit card applications filed between 2005 and 2019, included names, postal codes, dates of birth and self-reported income. The breach also exposed credit scores, credit limits, balances, payment history and fragmented transaction history from 2016 to 2018, the bank said.

“The essential facts in this case have not changed since we announced the event in coordination with federal authorities over two years ago: the hacker was arrested and the stolen data was simultaneously recovered before they cannot be disseminated or used for fraudulent purposes, ”Capital said. One of them told Bloomberg in an emailed statement on December 23. “We are pleased to have reached an agreement that will resolve the consumer class dispute in the United States.”

The bank said it is investing in its cybersecurity program under new management.

The dusting, however, has raised questions about who is responsible for the data breaches. The responsibility for the security breaches rests with Capital One, an AWS executive said in response to a 2019 investigation into the incident led by Sen. Ron Wyden, D-OR.

AWS’s role in the breach has prompted at least two lawmakers to call for the three major cloud providers (AWS, Microsoft Azure, and Google Cloud) to be considered systemically important financial market utilities.