Morgan Stanley: Insider Stole DataEmployee Posted Some Client Information Online
Financial services company Morgan Stanley has fired an employee who it claims stole account data for hundreds of thousands of its wealth management clients. Stolen information for approximately 900 of those clients was posted online for a brief period of time, the company says.
See Also: Secure Access in a Hybrid IT World
The firm, which is the sixth largest financial services company in the U.S. with $814 billion in total assets, says that while there is no evidence of any economic loss to any of its clients, it has confirmed that certain account information, including account names and numbers, was stolen.
The data stolen by the employee does not include account passwords or Social Security numbers, the firm says. Morgan Stanley is notifying all potentially affected clients and is instituting enhanced security procedures, including fraud monitoring, on the accounts.
Overall, partial account information for up to 10 percent of all wealth management clients was stolen, Morgan Stanley says. That comes out to about 350,000 individuals, according to CNBC.
"Morgan Stanley takes extremely seriously its responsibility to safeguard client data, and is working with the appropriate authorities to conduct and conclude a thorough investigation of this incident," the company says in a brief statement. The firm did not immediately respond to a request for further comment.
A source close to the investigation told CNBC that the subset of the stolen information that was posted online was discovered Dec. 27, 2014, during a routine scan that Morgan Stanley performs on suspicious websites. The firm was allegedly able to trace the breach back to the employee within 24 hours, the CNBC report says.
Although the stolen information on 900 clients was displayed online only for a brief period, there was an unspecified number of hits to the website involved during that time frame, the source told CNBC. The employee allegedly wanted to sell the information, the report says.
Insiders can be an "especially insidious" threat to organizations, says Al Pascual, director of fraud and security at Javelin Strategy and Research.
"They [require] intricate controls to contain while still being very difficult to spot," he says. "That is why being proficient at collecting and analyzing data on employee behaviors is critical to preventing these kinds of events."
In addition to impacting the privacy of its customers, the breach also puts Morgan Stanley at a competitive risk, Pascual says. "The type of information their ex-employee was looking to peddle could have made for valuable leads to other brokerages," he says. "And of course, any list that included the value of accounts held by Morgan customers would have likely raised eyebrows among fraudsters looking for 'whales' to target."