Morgan Stanley fires insider who leaked client data on Pastebin

Global financial services firm Morgan Stanley has announced on Monday that it has fired an employee of its Wealth Management Group following the theft of “partial client data.”

According to Yahoo Finance, he stole information of some 350,000 wealth management clients.

“While there is no evidence of any economic loss to any client, it has been determined that certain account information of approximately 900 clients, including account names and numbers, was briefly posted on the Internet. Morgan Stanley detected this exposure and the information was promptly removed,” the company noted.

“Overall, partial account information of up to 10 percent of all Wealth Management clients was stolen. The data stolen does not include account passwords or social security numbers. The firm is taking the precaution of notifying all potentially affected clients and instituting enhanced security procedures including fraud monitoring on these accounts.”

The FBI has been notified of the matter and is investigating.

According to NYT sources, the employee in question is 30-year-old financial adviser Galen Marsh, who has been with the company since 2008.

His lawyer confirmed that Marsh took the data, but that he has been cooperating with the firm and the authorities. He also stated that Marsh had no intention of selling the data, and denied that he had shared some of the information online (on Pastebin) in an attempt to sell the rest.

There is apparently no evidence that any third party got their hands on the stolen data.

“While news about the malicious hacking trade and the actions of elusive cyber-criminals continue to grab headlines, this case demonstrates that even the largest businesses are still struggling to protect their data from those already legitimately “inside the fence’,” noted Paul Ayers, VP EMEA of Vormetric.

“Indeed, the breadth and depth of private and public sector breaches in the past few years that have resulted from trusted insiders turning rogue indicates that there is a major disconnect when it comes to organisations’ handling of data security – and, crucially, how they manage their privileged users.”

“Many organisations have employees who have powerful, far-reaching data access rights by necessity of their job function. However, how these users are controlled, and their actions monitored, is often a weak link in the security framework,” he pointed out for Help Net Security.

“While there has been no evidence of economic loss to the some 350,000 clients who had their names and account numbers leaked – 10 percent of Morgan Stanley’s customer base – the inappropriate or unauthorised access and theft of confidential company or customer data is no longer acceptable. Not least when solutions exist that allow you to restrict access to sensitive information while still giving employees the tools they need to perform their work – namely, transparent encryption coupled with deep-level security intelligence. Businesses wishing to protect themselves must take a data-centric and data-first approach. The bottom line is that, with proper controls in place, you can maintain the essential activities of your staff and privileged accounts, without needlessly putting data at risk.”