The data theft at Morgan Stanley's wealth management unit provides a cautionary tale to financial firms that give employees access to vast amounts of customer data.
Last week, Morgan Stanley said in a press release that it fired a financial adviser in its wealth management division who stole data from 350,000 clients, or about 10% of its customer base. Galen Marsh, 30, had worked for Morgan Stanley since 2008 and was promoted from sales assistant to financial adviser in 2014. Bank Technology News reported that the adviser used a reporting tool that gave him access to massive amounts of data on clients.
Though the full story has not come out yet, the data breach by a trusted employee raises red flags for other financial firms. "The real problem lies in Morgan Stanley policies and procedures around information security," said Mayiz Habbal, CEO of Capital Markets Leadership Group. "Why would a junior adviser have access to 350,000 accounts?"
Another mystery is how the data was uploaded to Pastebin, a text-posted sharing site. On Dec. 27, someone posted a cache of data on 1,200 accounts and directed potential buyers to a different website, gourl.io, where someone pledged to pay 78,000 speedcoins (a type of virtual currency) in exchange for more information on Morgan Stanley's clients.
Habbal said Marsh must have been watched or targeted by a third party through a friend or was lured into an online trap while browsing. "He made a mistake, and others made use of it. His own computer was used to post the data for sale."
According to Bank Technology News, Marsh gained access to the client information by figuring out how to run reports on the firm's wealth management system. A source at Morgan Stanley told BTN that Marsh did not hack into the system; he ran internal reports on records that he was not authorized to access. An investigation found that data was downloaded to Marsh's PC and to his personal devices.
Marsh's attorney told Bloomberg News that his client did post the client data on the Internet, share information with anyone, or attempt to sell it. The FBI is conducting a probe into the incident.
Morgan Stanley said in its release last week that it "takes extremely seriously its responsibility to safeguard client data, and is working with the appropriate authorities to conduct and conclude a thorough investigation of this incident."
Though the company said there was no evidence of economic loss to clients, the information included account names, numbers, and transactions and was briefly posted on the Internet. The stolen data didn't include Social Security numbers and passwords, the company said.
The incident exposes a new type of threat -- insiders and rogue employees who can gain access to confidential data on clients, post it on a site, and then attempt to sell it on the black market. Firms are already scrutinizing their networks for intruders, viruses, and malware, but this adds another wrinkle to the threat landscape being policed by financial companies.
Previous data breaches like those at JPMorgan Chase, Target, Home Depot, and (more recently) Sony Pictures all have similar characteristics, according to Bob Olson, vice president and head of the global financial services practice at Unisys. "People with bad intentions somehow got into the network. The challenge that Morgan Stanley had is you actually had a rogue employee that got in and started doing some things."
It's also important to understand the motivation of the employee, he said. Was it monetary gain, or was it a desire to inflict reputational damage on Morgan Stanley? To get to the root cause of the data breach, you need to look at motivation. "He probably wants to monetize this information." However, Marsh's attorney has said that his client downloaded the data but had not posted it online and did not intend to sell it.
In light of the data breach, experts say that financial firms need to ring-fence their most valuable assets and allow employees to access only the data necessary to complete their job. In this case, the employee was not authorized to access the client information yet still managed to find a way around that.
Cloak and contain
"It's the concept of least privileges," Olson said. "What's the least amount of information that someone needs to do their job?" Many companies are adopting this approach. For example, someone who works in human resources or technology should only have access to what's necessary for HR or technology. Firms will take this "containment" approach, where they contain the ability of people to navigate into certain areas.
"I think there's acknowledgment that there are crown jewels in financial services -- client data, clearing, trading information," he said. "You want to cloak those and make sure you have the ability to limit who has access to the crown jewels." Additionally, firms need to place additional restrictions around crown jewels data. They need to think about how to contain what a rogue employee who infiltrated the network could access. Alerts should go off if employees infiltrate a system where they are not supposed to be.
Despite all these precautions, determined insiders who know their way around a system can still find a loophole. "The key is for the [bank's] chief information security officer not to trust anybody," Olson said. "And if you take it from there, you operate with a different mindset."Ivy is Editor-at-Large for Advanced Trading and Wall Street & Technology. Ivy is responsible for writing in-depth feature articles, daily blogs and news articles with a focus on automated trading in the capital markets. As an industry expert, Ivy has reported on a myriad ... View Full Bio