Morgan Stanley has agreed to pay $60 million to resolve a lawsuit filed by customers alleging that the Wall Street bank exposed their personal information by failing to properly retire part of its older information technology on two occasions.

On Friday night, a preliminary settlement of the proposed class action on behalf of roughly 15 million consumers was filed in federal court in Manhattan, and U.S. District Judge Analisa Torres must approve it.

Customers would be covered for at least two years against fraud and could claim for up to $10,000 in reimbursement for out-of-pocket losses.

According to settlement agreements, Morgan Stanley denied wrongdoing and made "substantial" improvements to its data security processes.

Customers claimed that Morgan Stanley neglected to decommission two wealth management data centers in 2016 before unencrypted equipment containing customer data was resold to unauthorized third parties.Morgan Stanley to Pay $60M in Security Lawsuit |

They further claimed that after Morgan Stanley migrated some outdated servers containing client data to an outside vendor in 2019, some of the data vanished. According to court documents, Morgan Stanley was able to recover the servers later.

Morgan Stanley said in an email on Monday that it has notified all affected customers and was glad to reach a settlement with the case.

Morgan Stanley agreed to pay a $60 million civil fine in October 2020 to settle allegations made by the US Office of the Comptroller of the Currency over the incidents, including that its information security methods were risky or unsound.

In re Morgan Stanley Data Security Litigation, No. 20-05914, U.S. District Court, Southern District of New York.