Morgan Stanley, the global banking and financial services corporation, has fired a financial adviser who stole data on 350,000 clients, The New York Times reported on yesterday, naming 30-year-old Galen Marsh as the terminated employee.
Morgan Stanley first realised that there was an issue on 27 December 2014, when the bank discovered account names, numbers and transaction data for more than 900 clients posted on the internet, according to The New York Times report.
Forbes indicated in a Monday report that the data was posted to the internet by the former employee who stole the information. Citing a source familiar with the issue, Forbes reported that the former employee is male, worked in wealth management, and was trying to sell the data to identity thieves.
“Overall, partial account information of up to 10 percent of all Wealth Management clients was stolen,” Forbes reported, quoting Morgan Stanley. “The data stolen does not include account passwords or social security numbers.”
There is no evidence of financial losses to customers, Bloomberg reported on Monday, adding that Morgan Stanley has notified law enforcement and is currently notifying all potentially impacted customers.
In a Monday email correspondence, Jonathan Sander, strategy and research officer for STEALTHbits Technologies, told SCMagazine.com in the US that data on wealth management clients is a big target for those looking to make a profit.
“Rich people have money hackers want to steal and a list of them would be something you can sell,” Sander said. “The interesting part of Morgan Stanley's announcement is they have figured out its good press to say “we found a problem and eliminated it right away” instead of hiding it until someone else tells the news. Talking openly about the fact that insiders can breach security but diligence can catch them and fix it is good for Morgan Stanley and the information security world as a whole.”
Paul Ayers, VP EMEA at Vormetric commented in a release to the press: “... this case demonstrates that even the largest businesses are still struggling to protect their data from those already legitimately ‘inside the fence'.
“While there has been no evidence of economic loss to the some 350,000 clients who had their names and account numbers leaked – 10 percent of Morgan Stanley's customer base – the inappropriate or unauthorised access and theft of confidential company or customer data is no longer acceptable. Not least when solutions exist that allow you to restrict access to sensitive information while still giving employees the tools they need to perform their work – namely, transparent encryption coupled with deep-level security intelligence. Businesses wishing to protect themselves must take a data-centric and data-first approach. The bottom line is that, with proper controls in place, you can maintain the essential activities of your staff and privileged accounts, without needlessly putting data at risk.”
Morgan Stanley did not respond to a Monday SCMagazine.com request for comment.