New details emerging about a breach involving a former Morgan Stanley employee illustrate how a case of inappropriate access to data can blossom into something much more serious. The case shines a spotlight on the urgent need to mitigate insider threats.
Galen Marsh, who in September pleaded guilty to stealing confidential customer information and saving it on his home server, has filed court documents to help refute allegations that he posted some of that information online for sale in underground forums.
"In the end, while we can blame the employee as being the weakest link, it is up to companies to evolve and adjust to new and persistent threats."
According to Marsh's sentencing memorandum, which his attorney filed Dec. 1, federal investigators have confirmed that Marsh's home server was hacked just weeks before the data he took from Morgan Stanley appeared on the Internet. What's more, the memo, filed in hopes of winning a reduced sentence, alleges that Morgan Stanley suspects the hackers who targeted Marsh are based in Russia. Marsh is slated to be sentenced Dec. 17.
The possible Russian link was discovered during a forensic analysis of Marsh's home computer, a Morgan Stanley spokesman told The Wall Street Journal.
This case clearly illustrates why companies should be doing more to monitor their employees' access to sensitive information. Not just because of what the insiders might do with the data, but because of what outsiders can do to take advantage of the insiders' access.
Privacy attorney Ron Raether, of the law firm Troutman and Sanders, points out: "Companies need to have technical, administrative and physical controls appropriate to the sensitivity of the data and role of the employee. ... In the end, while we can blame the employee as being the weakest link, it is up to companies to evolve and adjust to new and persistent threats. The standard of care is constantly in motion. However, it is important to stay ahead of that line and make sure that the business can easily argue that it exceeded that standard. It helps in litigation and with regulators."
Between June 2011 and December 2014, Marsh conducted nearly 6,000 unauthorized searches of confidential client information and then uploaded information about 730,000 of those clients to a server at his home in New Jersey, according to court records. In January, Marsh was fired; he later admitted in court that he illegally accessed account holders' names, addresses and other personal information, along with investment values and earnings, from computer systems used by Morgan Stanley to manage confidential data, court records note.
Morgan Stanley says it discovered the breach after it found that data linked to approximately 900 of its clients had been posted briefly on the Internet. The company also says that none of its clients lost money as a result of the breach.
Marsh has steadfastly claimed that he did not post any data online. He has argued that he accessed the information to analyze how other advisers managed clients' money, court records state.
"Consistent with his truthful assertions, the government confirms that Mr. Marsh's home server, on which Mr. Marsh had saved the client data, had been compromised between October 6, 2014, and October 31, 2014, only a few weeks before the client data appeared on the Internet," the sentencing memo filed on Marsh's behalf states. "It is probable that the client data was extracted from Mr. Marsh's home as a result of outside hackers. In fact, based upon conversations with representatives of Morgan Stanley, we learned that hackers emanating from Russia were suspected of posting the information and offering to sell it online."
Morgan Stanley did not respond to my request for comment.
But one of my takeaways from the developments of this case: how much it hammers home the points insider threat experts have made about the growing risks of "unintentional insiders" - individuals who are unknowingly taken advantage of by outsiders who have their own agendas. It's a topic that speakers such as Michael Theis, of the Insider Threat Center at the Software Engineering Institute at Carnegie Mellon University, have discussed broadly at ISMG's own international Fraud Summits.
In this unique case, the insider threat has two dimensions. Marsh was clearly in the wrong for accessing this sensitive data and storing it one a home server. But then, it would seem, he was used as a pawn by outsiders who had their own fraud agenda.
Responsibility for Protecting Data
Financial fraud expert Avivah Litan, an analyst at the consultancy Gartner, says that while Morgan Stanley has made significant investments since firing Marsh to ensure this kind of internal data leak does not happen again, the company still runs the risk of being found negligent for allowing an employee to so easily access and exfiltrate information he was not authorized to view.
"Even in this case, I'm not sure Morgan Stanley is off the hook," Litan says. "Even though they can pin this on an employee, they are still responsible."
Litan reiterates her longstanding recommendation that companies implement user-behavior analytics to detect internal inappropriate access to data. "It's basically using machine learning to detect anomalous behavior," she says.
In the Marsh case, she says, "this would not have detected the hack of his home machine, but it would have detected him exfiltrating that data in the first place. If you miss it on the way, it's too late. And this is why machine learning and analytics are the only technologies you can rely on to solve this problem."
The Morgan Stanley incident also demonstrates that it's essential for corporations to have strong policies to help ensure sensitive corporate and customer data is not compromised by employees' use of personal devices to access corporate files.
Raether, the attorney, sums it up well: "It is not enough to just blame employees for events. We have known even before breach notice statutes that users present the most difficult and sometimes greatest threat."