The leak of client records at Morgan Stanley illustrates the danger posed when just one employee has unauthorized or unsecured access to sensitive information, as well as the ongoing threat to financial institutions from insider theft.
The investment bank said this week that a rogue employee stole account records for 350,000 of its wealth management clients and posted 900 of those records online. The bank has answered some questions about the case, but others remain open.
The incident is similar in one respect to the JPMorgan Chase breach disclosed in August. In that case, account records of 76 million households and seven million business clients were compromised through one employee's computer, which had an unencrypted connection to a server containing the data.
This much is certain: On Dec. 27, someone posted a trove of records on 900 of Morgan Stanley's wealthiest clients to Pastebin, an online bulletin board where anyone can anonymously post plain text. The site was used by the Al Qassam Cyber Fighters to announce their distributed denial of service attacks against banks two years ago and by political dissidents in Venezuela to share information during protests last year.
The Pastebin poster promised additional information on Morgan Stanley clients in exchange for 78,000 speedcoins (an obscure Internet currency, described by its developers as "a lite version of Bitcoin").
Oddly enough, this was a meager bounty; 78,000 speedcoins are only worth about $2.95, according to a currency converter on the wallet provider Cryptonator's website. Presumably, it would have been more profitable to take the information to another wealth-management firm.
Meanwhile, Morgan Stanley's data loss prevention system caught an employee, 30-year-old financial advisor Galen Marsh, accessing 350,000 records from a wealth management system. No Social Security numbers, passwords or credit card numbers were compromised and there were no signs of fraud on any of the affected accounts. (The bank has about 3.5 million wealth management clients all told.)
The bank, which says it caught this breach within eight hours, acted quickly: Marsh was fired, the account information was wiped off Pastebin, and the software Marsh allegedly used to access the data was shut down.
But some mysteries remain, such as: Was Marsh the person who posted the information on Pastebin? Did he act alone? And why was he able to access so many records in the first place?
The Bank's Account
According to an executive at Morgan Stanley who did not want to be named, Marsh who was promoted to financial advisor from sales assistant about a year ago gained access to the records by finding a way to run reports in the bank's wealth management software. Contrary to some news reports, the bank says he did not hack into the system, but navigated it in a way he wasn't supposed to.
"He figured out how to run internal reports on our systems and he downloaded them," the executive said. The information included some client data: names, account numbers, and some asset value and transactional information.
Marsh was not authorized to access the information, the bank said. "He just figured out how to do something he shouldn't have been doing," the Morgan Stanley executive said. He would not say what software program was used to run the report.
Marsh has admitted he improperly accessed the information and said he is cooperating with Morgan Stanley, but his lawyer, Robert C. Gottlieb of Gottlieb & Gordon, denied that his client posted the compromised account information on Pastebin.
"Mr. Marsh never posted anything online, he never authorized anyone to post anything online, he never sold the account information, he never intended to sell it and he did not share one bit of account information with anyone," Gottlieb said Wednesday. "That is the end of the story."
Morgan Stanley said it believes Marsh was trying to monetize the information. "We do not believe what his lawyer is saying," the bank executive said. "If he wasn't planning on selling it, what was he doing with it?"
Asked if there's a logical explanation for why the records Marsh downloaded to his computer match the records posted on Pastebin, Gottlieb replied, "You bet your life there's a logical explanation and the bank knows the logical explanation. And I don't know why they continue to even speculate or suggest that Mr. Marsh had any hand in posting anything when the bank knows he did not."
Gottlieb did not share the explanation. "When we complete our investigation and go public, we'll share that," he said. "Is there any evidence, corroboration that Morgan Stanley can share to support their misleading speculation?"
If Marsh did not post the information, then one of three scenarios might have occurred: his computer was hacked; a friend or accomplice took the information and used it; or in a completely independent breach someone else broke into the same system at around the same time.
Dave Frymier, chief information security officer at Unisys, said the reports could have been created by a data mining group within the bank that crunches account and transaction data to determine trends about wealthy customers' behavior, to better serve them.