A data breach at Morgan Stanley Smith Barney (MSSB) included the exposure or theft of sensitive personal and financial information about 34,000 of the bank's investment clients. Credit.com reported the contents of the breach notification letter sent to breach victims.
According to the breach notice, two password-protect CD-ROMs that MSSB had sent to the New York State Department of Taxation and Finance never arrived. The lost or stolen CD-ROMs included investment clients' names, addresses, Social Security numbers, Morgan Stanley Smith Barney account numbers and investment income earned.
This is terrible news for several reasons:
- MSSB caused this data breach. There was nothing the breach victims could have done
- A password-protected CD-ROM is not strong protection. Encryption is stronger. CD-ROm drives are the most secure method MSSB executives could use?
- Investment clients are high-value clients with plenty of money. Their stolen information is ripe for phishing attacks, for resale to other criminals, to open fraudulent accounts, to gain credit, to gain medical coverage, or to commit crimes in the breach victims' names
- Banks are high-value targets for hackers and identity criminals. The news media has reported about plenty of breaches at banks. Were MSSB executives not listening or asleep at their desks?
- Unlike credit card numbers, Social Security numbers are valid for a long time. Banks cancel and replace crredit card numbers. Not so with SSNs
The lost/stolen MSSB CD-ROMs reminded me of my experience with IBM's data breach in 2007. MSSB needs to do the right thing for its breach victims -- at least five years of complimentary and comprehensive credit monitoring. Why? The length of the free credit monitoring services should match the risk period. And SSNs don't go bad. There has to be consequences when companies don't adequately protect consumers' sensitive personal and financial data. If the free credit monitoring period doesn't match the risk period, then MSSB has unfairly shifted the burden from themselves to the breach victims they created.
A check of the MSSB website did not find a press release about the data breach. I guess that MSSB is hoping that this data breach will blow over and be quickly forgotten.
Credit.com summed up the situation appropriately:
"What this letter really says is that after all the coverage of all of the breaches, all the horror stories, all the misery, all the litigation, all the heroic pronouncements by all the regulators, legislators, corporate leaders and consumer advocates, the memo still didn’t get to Wall Street where they obviously care more about intellectual property, trade secrets, inside trading, outsized profits and complaining about over-regulation than their most precious asset: their customers."
Yep. What companies do -- or don't do to protect their customers -- says more than any words. It definitely seems to me that MSSB is not taking data security as seriously as it should.