Morgan Stanley Breach: Adviser Accessed Client Data Countrywide
The leak of client records at Morgan Stanley illustrates the danger posed when just one employee has unauthorized or unsecured access to sensitive information, as well as the ongoing threat to financial institutions from insider theft.January 7
Bank executives need to understand these basics of vulnerability and accountability when it comes to the security of electronic networks or they could quickly lose their jobs.December 2
MBIA, the municipal bond insurance giant, suffered a major customer data breach that exposed customer data of an asset-management subsidiary that Bank of New York Mellon has agreed to buy.October 7
Until last April, the young adviser now at the center of Morgan Stanley's massive client data breach was a sales assistant who spent the majority of his career under the tutelage of one the firm's wealth management teams.
Despite his junior status within the 1211 Group, the client data Galen Marsh allegedly gained access to in December belonged to Morgan advisors from across the country, according to people who spoke with advisors working with clients whose information was included in the data breach.
A source who said he spoke with advisors in California and Michigan said they were shocked to see their clients' names and other data on Pastebin, a website notoriously used for posting hacked and leaked information.
The company said that FBI and FINRA investigators are now looking into how Marsh, 30, could access such information, which typically would be available at different levels to superiors and others in IT and business support roles outside of the Manhattan practice.
As previously reported, an executive at Morgan Stanley who did not want to be named said Marsh, who was promoted to financial advisor from sales assistant about a year ago, gained access to the records by finding a way to run reports in the bank's wealth management software. The executive said Marsh did not hack into the system, but used it in a way he wasn't authorized to. "He just figured out how to do something he shouldn't have been doing," the executive said. He would not say what software program was used to run the report.
"He figured out how to run internal reports on our systems and he downloaded them," the executive said. The information included names and account numbers, as well as some asset value and transactional information.
Morgan, according to the executive, said it believes Marsh was trying to monetize the information.
Marsh's attorney, Robert C. Gottlieb of Gottlieb & Gordon in New York, confirmed his client took the information, when asked by a reporter, but insisted he did not intend to sell it. Gottlieb, however, declined to give an explanation for why the records Marsh downloaded to his computer match the records posted on Pastebin.
Timothy Ryan, a managing director and cyber investigations practice leader at corporate security firm Kroll whos a former special agent with the FBI, said in his experience he's found only one reason why sensitive internal company information is leaked online: vengeance. "The person is clearly using the data to punish the company, because they are angry about something," Ryan said.
Corporate data breaches carry potential criminal penalties under federal statutes, law enforcement experts note; prison sentences depend largely on the cost to the company to investigate and fix the information leak, as well as how substantive the violation was. Other factors used to determine the severity of penalties include how an individual gained access to data, and whether the person had a prior criminal record.
Breaches can also trigger civil cases with potential fines and other disciplinary actions. These include FINRA- and SEC-imposed suspensions and banishment from the industry, said Christine Lazaro, director of the Securities Arbitration Clinic at St. John's University School of Law. The financial firm can also be held responsible for failing to properly supervise, Lazaro added.
Marsh joined Morgan Stanley in 2008 along with a group of Bear Stearns advisors who formed the 1211 Group. The group is currently headed by one of its founders, Stephen Ackerman.
A source with knowledge of the matter said there was no evidence other members of the 1211 Group participated in the data breach.
A former senior partner at the group, William Nash who was suspended from practice by FINRA in 2014 after he did not pay Morgan more than $2 million in reclaimed recruitment bonuses awarded to the firm by an arbitration panel said Marsh handled sensitive client information when he was a sales assistant on the team in his early 20s.
"He had access to all the clients," Nash said. "He had to know everything about these people. His role was client services support wire transfers, all the client interaction, he would get inventory from the fixed-income desk, give clients quotes any kind of support role for the senior partners, which was us."