Friday, 9 January 2015

Morgan Stanley reveals theft of client data by insider

Morgan Stanley said that up to 10 per cent of its wealth management clients had their account information stolen by an employee who may have been looking to sell it.

The US bank’s wealth management arm has about 3.5m clients. An employee “briefly” published to the internet the account names and numbers of about 900 of those clients.

The employee was fired and the incident reported to law enforcement and regulators, Morgan Stanley said, adding that there was “no evidence of any economic loss to any client”. The Federal Bureau of Investigation has been notified.

A person familiar with the matter said the employee was a financial adviser named Galen Marsh, a 30-year-old based in New Jersey. The Wall Street Journal first reported his identity.

The person familiar with the matter said Morgan Stanley believed Mr Marsh was attempting to sell the data. However, Mr Marsh denies this.

Robert Gottlieb, a lawyer at Gottlieb & Gordon, who is representing Mr Marsh, said: “This is an employment matter between Mr Marsh and Morgan Stanley. He has acknowledged that he should not have obtained the account information and has been co-operating with Morgan Stanley to protect the firm and its customers. To be clear, Mr Marsh did not sell nor ever intended to sell any account information. He did not post account information online. Nor did he share any information with anyone. Nor use it for any financial gain. He is devastated by what has occurred and is extremely sorry for his conduct.”

The data breach is large: Morgan Stanley operates the second-biggest wealth management operations in the US, behind Merrill Lynch, and serves the equivalent of more than one in 100 Americans, who use brokerage accounts to trade stocks and bonds.

But it is dwarfed by several big data breaches in 2014, including the 76m households affected by a hacking incident at JPMorgan Chase, the nation’s largest bank by assets.

In that incident, which is believed to have been perpetrated by outside computer hackers, JPMorgan disclosed in October that contact details, but no account numbers or social security numbers, were compromised.

The Morgan Stanley theft shows the difficulties financial institutions have in securing their data against internal threats. 

Companies have made progress in securing the “perimeter” of their computer systems, according to security companies, but have struggled to reduce the opportunities for employees to steal potentially valuable data.

“The data stolen does not include account passwords or social security numbers,” Morgan Stanley said in a statement. “The firm is taking the precaution of notifying all potentially affected clients and instituting enhanced security procedures including fraud monitoring on these accounts.”

Shares in Morgan Stanley were down 3.1 per cent by the close in New York.

Morgan Stanley discovered the published account information on December 27 during routine scans of the internet, according to a person familiar with the matter, who said it had received “virtually no hits”.

“Morgan Stanley takes extremely seriously its responsibility to safeguard client data, and is working with the appropriate authorities to conduct and conclude a thorough investigation of this incident,” the bank said.

Getting larger in wealth management has been a big — and apparently — successful gamble by chief executive James Gorman in an attempt to move Morgan Stanley away from riskier fixed income trading and towards a more reliable source of revenues.

Last quarter Morgan Stanley’s wealth management arm made $3.8bn in revenues and pre-tax income of $836m. It employs more than 16,000 financial advisers.