Morgan Stanley sacks employee who pilfered account data

Corporate security is only as strong as its weakest link -- and too often, humans fall into this category.
Written by Charlie Osborne, Contributing Writer
Morgan Stanley has confirmed discovery of an insider who allegedly stole account data relating to up to 10 percent of the firm's Wealth Management accounts.

The new year may have only just begun, but US financial institution Morgan Stanley already has a disaster to cope with. As reported by the Wall Street Journal, last summer, Morgan Stanley financial adviser Galen Marsh was able to sift through the account records of approximately 350,000 clients -- while almost none of them were his particular clients.

By the end of the year, some of these records appeared online, with offers to trade this sensitive information for digital currency. The first 15 Dec posting touted roughly six million account records from the company, while a second notice posted on 27 Dec provided specific details on 1,200 accounts, asking for 78,000 speedcoins in return, according to the publication. The posts were eventually discovered by Morgan Stanley.

In a statement released this week, Morgan Stanley confirmed that a Wealth Management employee in connection to the stolen client data has been terminated. Law enforcement has also been notified of the incident. The company said:

"While there is no evidence of any economic loss to any client, it has been determined that certain account information of approximately 900 clients, including account names and numbers, was briefly posted on the Internet. Morgan Stanley detected this exposure and the information was promptly removed."

In total, "partial" account information of up to 10 percent of all Wealth Management clients was stolen due to the claimed insider breach. According to Morgan Stanley, the data stolen by the errant employee did not include account passwords or Social Security numbers.

However, Marsh's lawyer denies the information was posted online and that his client ever tried to sell the account records, calling the sacking an "employment dispute."

Morgan Stanley is notifying customers affected by the data breach and is offering fraud monitoring services for these accounts.

The financial services firm said:

"Morgan Stanley takes extremely seriously its responsibility to safeguard client data, and is working with the appropriate authorities to conduct and conclude a thorough investigation of this incident."

Speaking to ZDNet, Paul Ayers, VP EMEA at enterprise data security firm Vormetric said:

"While news about the malicious hacking trade and the actions of elusive cyber-criminals continue to grab headlines, this case demonstrates that even the largest businesses are still struggling to protect their data from those already legitimately 'inside the fence.'

Indeed, the breadth and depth of private and public sector breaches in the past few years that have resulted from trusted insiders turning rogue indicates that there is a major disconnect when it comes to organisations' handling of data security -- and, crucially, how they manage their privileged users."

In other words, companies now no longer face just external threats. Employees may give in to threat or greed, and with their access to information, can cause a data breach without specialized knowledge or cybersecurity skills. Staff are often given far-reaching data access rights, but with this power, rouge employees can prove to be a serious risk to corporations. While the threat of insiders is unlikely to wane, companies can protect themselves more effectively by setting in place access restrictions to sensitive data and monitoring employee access to information caches.

Read on: In the world of security

Editorial standards