Investors are left wondering who may have stolen the CDs that contain sensitive personal data, including Social Security numbers, while en route to the New York State Tax Department.
Morgan Stanley Smith Barney reported that personal information belonging to
34,000 investment clients has been lost and potentially stolen. Unlike recent
data breaches, the data appear to have been lost in the mail.
mailed two CDs containing information for 34,000 clients to the New York State
Department of Taxation and Finance, Jim Wiggins, a Morgan Stanley Smith Barney
Credit.com July 6. While the package appeared intact when it reached the
department, the CDs were missing when the intended recipient received it.
was notified June 8 that the CDs were missing and the company conducted an
"exhaustive search" of all the facilities the package passed through. After
failing to find them, it mailed letters to clients June 24.
contained personal identifying information, including clients' names,
addresses, account and tax identification numbers, income earned on investments
in 2010 and Social Security numbers, the company said. The information was
mailed to the state because it requires account information for investors of
tax-exempt bonds and funds after annual 1099 tax forms are filed, Morgan
Stanley said in its letter to customers.
has yet to see any evidence of criminal intent or misuse of the missing
information. Even so, the company will offer a year of credit-monitoring
services with Experian for clients whose Social Security numbers were
breach sightings have rapidly evolved from the Flavor of the Month, to news
reel of the week, to -News at Eleven,'" wrote Adam Levin
, co-founder and chairman of Identity
Theft 911 and Credit.com.
whether Morgan Stanley regarded information security as a priority, considering
that the CDs were password-protected but not encrypted. It's not clear whether
it's standard procedure at Morgan Stanley Smith Barney not to encrypt data or
whether the New York State Tax Department lacks the technology to decrypt
secured data, Levin said.
can break a password. The question is: Why wasn't it encrypted?" Levin
It is also
unclear why CD-ROMs were used to transmit the data in the first place, Levin
said, noting that if this was part of routine reporting done every year, it
would have made more sense to have a secure communications link between the
sender and recipient.
examining with the state of New York how we can increase the security of this
kind of data transmission," Wiggins told Credit.com
which data like Social Security numbers, birth dates and addresses are stolen
are a bit riskier than when credit card numbers and account numbers are stolen,
according to Eduard Goodman, chief privacy officer of Identity Theft 911
. While banks can shut down
accounts and reissue new numbers, Social Security numbers have a "long shelf
life," and can be used to spawn dozens of new accounts and are often traded
internationally among organized criminals, Goodman said.
damage to your good name is greater," Goodman said. Users should exercise good
data-management, such as shredding sensitive documents before throwing them
away, using a locking mailbox and reviewing free credit reports every year to
protect against potential identity theft, he said.
letter really says is that after all the coverage of all of the breaches, all
the horror stories, all the misery, all the litigation, all the heroic
pronouncements by all the regulators, legislators, corporate leaders and
consumer advocates, the memo still didn't get to Wall Street, where they
obviously care more about intellectual property, trade secrets, inside trading,
outsized profits and complaining about over-regulation than their most precious
asset: their customers," Levin said.