July 6, 2011 -- Personal information belonging to 34,000 investment clients of Morgan Stanley Smith Barney has been lost, and possibly stolen, in a data breach. According to two letters sent to clients, and obtained by Credit.com, the information includes clients' names, addresses, account and tax identification numbers, the income earned on the investments in 2010, and—for some clients—Social Security numbers.
The data was saved on two CD-ROMs that were protected by passwords, according to the letters, but the CDs were not encrypted.
"There's no evidence that there was any criminal intent here, or actual misuse of this information," Jim Wiggins, a spokesman for Morgan Stanley Smith Barney, said in a phone interview.
The company mailed the CDs containing information about investors in tax-exempt funds and bonds to the New York State Department of Taxation and Finance. It appears the package was intact when it reached the department, but by the time it arrived on the desk of its intended recipient the CDs were missing, Wiggins said.
The state notified Morgan Stanley Smith Barney about the lost data on June 8. The company took two weeks to conduct an "exhaustive search" of all the facilities the package passed through, Wiggins said, and then mailed the letters to clients on June 24. The tax department did not return a call for comment.
[Article: The Weakest Link: Feds Fail with Cyber Security Proposal]
The discs were password-protected but not encrypted. "We're going to work with the state to see if we can improve the security of this data transmission," Wiggins said.
That's important, according to Adam Levin, founder and chairman of Credit.com and a data security expert. "Anybody can break a password," Levin said. "The question is: Why wasn't it encrypted?" Levin says. (Read Levin's column about the breach, "The Morgan Stanley Smith Barney Breach: Losing Client Data the Old Fashioned Way")
The two letters differ in how they instruct clients to protect themselves. In one letter, Morgan Stanley Smith Barney merely suggests that recipients check their financial statements, and report anything suspicious to their financial institutions or various, unnamed "consumer reporting agencies."
In the other letter, mailed only to clients whose Social Security or tax identification numbers were lost, the company announces it will pay for clients to enroll in a year's worth of credit monitoring services by Experian, one of the three major credit bureaus. This letter also instructs victims to call the Federal Trade Commission, and informs clients that they are entitled under U.S. law to one free credit report annually from the three major credit bureaus.
The fact that Morgan Stanley Smith Barney is willing to pay for such a service underscores the importance of the missing data, says Levin.
"This is pretty tasty stuff for somebody," Levin says. "This isn't just an identity. This is an identity attached to assets."