It seems ghosts of Christmases past returned to haunt two large U.S. banks in successive weeks, as Morgan Stanley and Capital One agreed to settle class-action lawsuits pertaining to incidents that have already cost each bank millions of dollars in regulatory penalties.
Morgan Stanley agreed to pay $60 million to resolve claims that the personal information of 15 million current and former clients was compromised when data stored on decommissioned equipment wasn’t completely wiped clean, then went missing, according to court documents filed Friday.
The bank denied wrongdoing in the settlement, agreed to in principle in November. “We have previously notified all potentially impacted clients regarding these matters, which occurred several years ago, and are pleased to be resolving this related litigation,” Morgan Stanley said in a statement Monday, according to Bloomberg.
Customers would receive at least two years of fraud insurance coverage, and each can apply for reimbursement of up to $10,000 for out-of-pocket losses under the agreement, which still requires sign-off from Judge Analisa Torres of the U.S. District Court for the Southern District of New York, Reuters reported.
The settlement amount matches the $60 million fine Morgan Stanley incurred under an Office of the Comptroller of the Currency (OCC) order in October 2020 as a result of the incident. The regulator asserted the bank failed to properly oversee the decommissioning of two data centers connected to its wealth management business in 2016.
Morgan Stanley hired a third-party vendor to wipe data from servers and other hardware, but some customer information — including Social Security numbers and birth dates — remained on the equipment after it was sold to a recycler, a bank executive wrote in a July 2020 memo. The recycler alerted Morgan Stanley to the issue more than a year earlier.
Morgan Stanley has made "substantial" upgrades to its data security practices, it said in settlement papers. However, the bank also suffered a data breach in 2021, after one of its vendors discovered data had been compromised, according to a July breach notification disclosure letter.
Capital One, meanwhile, agreed to pay $190 million to settle a class-action lawsuit related to the 2019 data breach that exposed the personal information of 106 million customers in the U.S. and Canada, according to paperwork filed Dec. 23 in the U.S. District Court for the Eastern District of Virginia.
The bank said it is fully reserved for the settlement amount, which covers 98 million U.S. users. Representatives for the customers, the bank and its cloud provider, Amazon Web Services (AWS), asked the judge in the case to pause proceedings while the court evaluates the settlement.
“While Capital One and AWS deny all liability, in the interest of avoiding the time, expense and uncertainty of continued litigation, plaintiffs and Capital One have executed a term sheet containing the essential terms of a class settlement that, if approved by this court, will fully resolve all claims brought by plaintiffs,” the bank and tech giant said in the filing, according to Bloomberg.
The OCC ordered Capital One to pay $80 million over the bank's "failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment.”
Paige Thompson, a former AWS employee, was charged with computer fraud and abuse after allegedly accessing the data through an improperly configured firewall.
About 140,000 Social Security numbers and 80,000 account numbers linked to credit card customers were compromised in the breach, the bank estimated. The data, connected to credit card applications filed between 2005 and 2019, included names, postal codes, birth dates and self-reported income. The breach also exposed credit scores, credit limits, balances, payment history and fragmented transaction history from 2016 to 2018, the bank said.
“The key facts in this case have not changed since we announced the event in coordination with federal authorities more than two years ago: the hacker was arrested and the stolen data was simultaneously recovered before it could be disseminated or used for fraudulent purposes,” Capital One told Bloomberg in an emailed statement Dec. 23. “We are pleased to have reached an agreement that will resolve the consumer class litigation in the U.S.”
The bank said it is investing in its cybersecurity program under new leadership.
The dust-up, however, prompted questions as to where responsibility lies in data breaches. The onus of the security gaps falls on Capital One, an AWS executive said in response to a 2019 inquiry into the incident by Sen. Ron Wyden, D-OR.
AWS’s role in the breach pushed at least two lawmakers to call for the three leading cloud providers — AWS, Microsoft Azure and Google Cloud — to be considered systemically important financial market utilities.