Unsettling Truths, Unanswered Questions in Morgan Stanley Breach
TD Bank has settled with the state of Massachusetts after a data breach exposed the personal information of as many as 260,000 customers.
Bank executives need to understand these basics of vulnerability and accountability when it comes to the security of electronic networks or they could quickly lose their jobs.
The leak of client records at Morgan Stanley illustrates the danger posed when just one employee has unauthorized or unsecured access to sensitive information, as well as the ongoing threat to financial institutions from insider theft.
The investment bank said this week that a rogue employee stole account records for 350,000 of its wealth management clients and posted 900 of those records online. The bank has answered some questions about the case, but others remain open.
The incident is similar in one respect to the JPMorgan Chase breach disclosed in August. In that case, account records of 76 million households and seven million business clients were compromised through one employee's computer, which had an unencrypted connection to a server containing the data.
This much is certain: On Dec. 27, someone posted a trove of records on 900 of Morgan Stanley's wealthiest clients to Pastebin, an online bulletin board where anyone can anonymously post plain text. The site was used by the Al Qassam Cyber Fighters to announce their distributed denial of service attacks against banks two years ago and by political dissidents in Venezuela to share information during protests last year.
The Pastebin poster promised additional information on Morgan Stanley clients in exchange for 78,000 speedcoins (an obscure Internet currency, described by its developers as "a lite version of Bitcoin").
Oddly enough, this was a meager bounty; 78,000 speedcoins are only worth about $2.95, according to a currency converter on the wallet provider Cryptonator's website. Presumably, it would have been more profitable to take the information to another wealth-management firm.
Meanwhile, Morgan Stanley's data loss prevention system caught an employee, 30-year-old financial advisor Galen Marsh, accessing 350,000 records from a wealth management system. No Social Security numbers, passwords or credit card numbers were compromised and there were no signs of fraud on any of the affected accounts. (The bank has about 3.5 million wealth management clients all told.)
The bank, which says it caught this breach within eight hours, acted quickly: Marsh was fired, the account information was wiped off Pastebin, and the software Marsh allegedly used to access the data was shut down.
But some mysteries remain, such as: Was Marsh the person who posted the information on Pastebin? Did he act alone? And why was he able to access so many records in the first place?
The Bank's Account
According to an executive at Morgan Stanley who did not want to be named, Marsh who was promoted to financial advisor from sales assistant about a year ago gained access to the records by finding a way to run reports in the bank's wealth management software. Contrary to some news reports, the bank says he did not hack into the system, but navigated it in a way he wasn't supposed to.
"He figured out how to run internal reports on our systems and he downloaded them," the executive said. The information included some client data: names, account numbers, and some asset value and transactional information.
Marsh was not authorized to access the information, the bank said. "He just figured out how to do something he shouldn't have been doing," the Morgan Stanley executive said. He would not say what software program was used to run the report.
Marsh has admitted he improperly accessed the information and said he is cooperating with Morgan Stanley, but his lawyer, Robert C. Gottlieb of Gottlieb & Gordon, denied that his client posted the compromised account information on Pastebin.
"Mr. Marsh never posted anything online, he never authorized anyone to post anything online, he never sold the account information, he never intended to sell it and he did not share one bit of account information with anyone," Gottlieb said Wednesday. "That is the end of the story."
Morgan Stanley said it believes Marsh was trying to monetize the information. "We do not believe what his lawyer is saying," the bank executive said. "If he wasn't planning on selling it, what was he doing with it?"
Asked if there's a logical explanation for why the records Marsh downloaded to his computer match the records posted on Pastebin, Gottlieb replied, "You bet your life there's a logical explanation and the bank knows the logical explanation. And I don't know why they continue to even speculate or suggest that Mr. Marsh had any hand in posting anything when the bank knows he did not."
Gottlieb did not share the explanation. "When we complete our investigation and go public, we'll share that," he said. "Is there any evidence, corroboration that Morgan Stanley can share to support their misleading speculation?"
If Marsh did not post the information, then one of three scenarios might have occurred: his computer was hacked; a friend or accomplice took the information and used it; or in a completely independent breach someone else broke into the same system at around the same time.
Dave Frymier, chief information security officer at Unisys, said the reports could have been created by a data mining group within the bank that crunches account and transaction data to determine trends about wealthy customers' behavior, to better serve them.
"I have no doubt that somewhere in Morgan Stanley there's a group of people who have all sorts of access to those 3.5 million records," he said. "I suspect Marsh may have stumbled onto some way to run some reports, and in that manner he probably wasn't supposed to have that access, perhaps it was a misconfiguration. Maybe he thought he was going to do some sort of data mining work on it himself."
None of the digital artifacts email accounts, soliciting of money, ownership of the Pastebin account appears to trace back to Marsh, Frymier said.
"The only thing that appears to correlate with Mr. Marsh is the fact that Morgan Stanley's data loss prevention system tripped on the fact that he had access to these records and was probably not supposed to," he said. "Then they correlate that with the fact that the Pastebin notice occurred in that second week of December and said 'this guy had all this access to records that showed up in Pastebin, they must have come from him.' I have no doubt it was an inside job, but I'm not so sure they got the right guy."
Scott Hazdra, principal security consultant at Neohapsis, a consulting company specializing in mobile and cloud security, likened the incident to "someone in finance coming across a spreadsheet with everybody's salary information. It doesn't seem like he was out to do this intentionally. It seemed like a crime of opportunity."
Security experts give Morgan Stanley props for catching the data theft quickly.
"Within about eight hours, we knew where the information came from and who had downloaded it and we had an initial view of the parameters of the information theft," the Morgan Stanley executive said. He would not share specifics of how this was done.
It's not common, but it's a best practice for a firm the size of Morgan Stanley to have a program in place that monitors certain locations on the Internet to see if somebody is trying to sell their data, Frymier said.
"That's three check marks for Morgan Stanley, in that they were able to detect the exfiltration of the data in the first place, and were able to find on the Internet where somebody was trying to do something with it," he said. "Now the question is, is it coincidence or is it really the same data?"
Dealing with the Insider Threat
This breach is the latest example in financial services of the insider threat, which has been around for decades and that traditional security practices don't necessarily curb.
"Every organization is vulnerable," Hazdra said. "A lot of security and compliance puts controls around information deemed critical, such as credit card numbers. Most companies have done a good job protecting that," but not necessarily the databases that don't store personally identifiable information like Social Security numbers.
Companies often take a rules-based approach to protecting sensitive data, according to Idan Tendler, the chief executive officer of security company Fortscale.
"Most organizations have policies that say 'you can't download more than 1,000 files, more than that and we will arrest you.' So people are downloading 999," said Tendler, a former agent of the 8200, Israel's cyberwarfare specialist group, and a specialist in insider threats. "This is why, when security is based on predefined rules or predefined heuristics, people from the inside and attackers from outside will bypass it."
The solution he and many others recommend is security analytics software that analyzes user behavior for anomalies, the same way credit card transactions are constantly monitored for signs of fraud. For instance, it might be suspicious if a user who typically downloads 20 account records at a time suddenly downloads 50. The user who normally accesses records at work but starts to download records at home or at midnight would be suspect.
Such an approach starts with capturing all data movement across the network, which many companies already do.
Then in some cases, analysts watch that data movement for signs of unusual behavior, Hazdra said. "It's still a very human role. They take the information and figure out why something is going between two endpoints or people," he said. "If they see something that's anomalous, they escalate it."
Automated tools let them search through the data to test whether people who are not authorized are accessing certain types of information.
"Analytics tools provide not only the actual packet but metadata that's gathered about the information," Hazdra said. "That's where you can find clues as to data that shouldn't be flowing to certain places."
But any solution is partial.
"Preventing a trusted insider from doing something bad is almost impossible," said Frymier. "One of the Achilles' heels of the way we've designed our IT infrastructure these days is [that] certain people are trusted."
For instance, system administrators generally have unlimited access to almost everything in an organization's network. "If you have a system administrator that goes bad, like Edward Snowden did, there's very little you can do about that except try to detect it.
"If there's a moral to this story, it's that the insider problem is very real and it's very hard to defend against," he said.