The lost information includes clients’ names, addresses, account and tax IDs, income earned on investments, and, for some clients, social security numbers, according to the letters sent to clients obtained by Credit.com.
The information was saved on two CD-ROMs that were password protected, but not encrypted. The discs were lost after the company mailed them to the New York State Department of Taxation and Finance. The package was intact when it was received by the department, but the CDs were missing, Jim Wiggins, a spokesman for the company, told Credit.com in a phone interview.
The state notified Morgan Stanley Smith Barney about the lost data on June 8, and the company conducted a two week search for the discs and then mailed the letters informing clients of the breach.
According to a copy obtained by Credit.com, one of the letters read:
"Morgan Stanley was recently notified by the New York State Department of Taxation and Finance that two password-protected CD ROMs included in the package received from Morgan Stanley Smith Barney were missing from the package when it was delivered to the intended recipient within the Department. The CD ROMs included sensitive information about your account that was sent as a requirement to New York State after filing annual 1099 tax forms. The sensitive information on the password-protected CD-ROMs included names, addresses, Social Security numbers, Morgan Stanley Smith Barney account numbers and income earned on tax exempt bonds or funds you hold or held in 2010.”
For clients who had their social security numbers lost, the company offered to provide one year’s worth of credit monitoring services through Experian.
Wiggins told the Wall Street Journal that the company is examining the practice of sending CDs with sensitive personal information in the mail. "We're examining with the state of New York how we can increase the security of this kind of data transmission", he said.