SmartMoney Blogs

Pay Dirt
A daily look at what we buy, how we spend, and the companies that do right - and wrong - by their customers.

Lessons From the Morgan Stanley Data Breach


Brokerage Morgan Stanley Smith Barney has warned 34,000 account holders of a data breach that exposed Social Security numbers, account information and addresses, among other data.

The information, stored on two password-protected CDs, was lost en route to the New York State Department of Taxation and Finance in early June, says Jim Wiggins, a spokesman for Morgan Stanley. The package arrived but the CDs did not, and subsequent searches by the department, brokerage and U.S. Postal Service failed to locate them. “We’ve seen no evidence of criminal intent or actual misuse of this information,” Wiggins says. The breach affected less than 1% of the brokerage’s accounts. Account holders whose Social Security numbers were exposed in the breach will receive a year of credit monitoring from credit bureau Experian.

That’s small comfort to account holders if the information was stolen and not lost, says Adam Levin, co-founder of Identity Theft 911 and, which initially reported the breach from accountholder letters. Unlike stolen credit card numbers, which must be used quickly before issuers close them, thieves could hang onto stolen SSNs for years before using them. “Identities are currency, they’re evergreen,” Levin says. That type of identity theft can also cause a wider variety of problems for the victim: new debts in his or her name, medical expenses or even a criminal record. “They re-create you,” he says. Account holders whose Social Security numbers weren’t part of the breach can’t rest easy, either. Account numbers could still be used for fraud, and enterprising thieves could reach out to victims in the guise of the brokerage to mine for other information.

The breach is a good reminder for consumers that not all breaches are the result of hacking, Levin says. In a breach, victims’ best recourse is to change their log-in information, request new numbers for any credit or debit cards linked to their accounts, and monitor accounts daily for problems, he says. Call the breached company directly with any questions, instead of responding to unsolicited emails or calls. The Fair Credit Reporting Act entitles you to one credit report a year from each of the three bureaus — pull one every four months from Your employer, insurance company or bank may also offer identity theft resolution services as a perk, he says, so ask around to see if you have that extra protection.


We welcome thoughtful comments from readers. Please comply with our guidelines. Our blogs do not require the use of your real name.

Comments (0)

    • Be the first to leave a comment on this blog.

About Pay Dirt

  • Pay Dirt examines the millions of consumer decisions Americans make every day: What to buy, how much to pay, whether to rave or complain. Lead written by Quentin Fottrell, the blog examines these interactions, providing readers with news, insight and tips on shopping, spending, customer service, and companies that do right – and wrong – by their customers. Send items, questions and comments to or tweet @SMPayDirt.