Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
Guilty Plea in Morgan Stanley Insider BreachExperts Question Why Company Didn't Detect Unauthorized Access Sooner
A former wealth management adviser at Morgan Stanley pleaded guilty this week to stealing confidential information linked to more than 700,000 client accounts over a period of several years.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Some fraud-prevention experts say the investment banking firm could have taken steps to detect the suspicious insider activity sooner.
Galen Marsh, who worked for the firm's Manhattan office until he was fired in January 2015, told the U.S. District Court for the Southern District of New York on Sept. 21 that he illegally accessed account holders' names, addresses and other personal information, along with investment values and earnings, from computer systems used by Morgan Stanley to manage confidential data, according to court records.
Between June 2011 and December 2014, Marsh conducted nearly 6,000 unauthorized searches of confidential client information and then uploaded the information on 730,000 clients to a server at his home in New Jersey, the court documents show.
What Took So Long?
Shirley Inscoe, a financial fraud expert and analyst at the consultancy Aite, says Morgan Stanley should have had stronger internal controls and account monitoring in place to detect Marsh's scam sooner.
"Morgan Stanley let this employee steal client data for three-and-a-half years," Inscoe says. "Apparently, Morgan Stanley is either not using any technology to detect suspicious internal activity by employees that can lead to fraud, is not using such technology effectively, or is not working the alerts generated by such technology. They are doing a good job of monitoring suspicious external websites, which is how this employee data theft came to light. They took action swiftly once they were aware of the incident. But they should have provided better protection to their clients via diligent internal employee monitoring as well."
Inscoe says financial institutions have a responsibility to safeguard their clients. "There really is no excuse for such companies not to protect their clients better against internal threats," she says. "There are very good technology solutions that could have detected this employee's unacceptable behavior quickly and easily."
There are several potential reasons why Morgan Stanley did not catch Marsh's acts sooner, says Jeremy Strozer, a researcher on insider threats at Carnegie Mellon University and a featured speaker at Information Security Media Group's Fraud Summit Toronto next week.
"They were conducting a routine scan of external websites, which is how they found it," Strozer says. "This routine scan probably took place periodically, which means they could have missed many previous postings that were put up and then removed before their periodic scans were conducted. Beyond that, they do not appear to have been tracking the exfiltration of data from the organization's IT systems. It does not appear they had a DLP [data-loss prevention] tool in place, or monitored emails to external addresses for sensitive information."
Strozer also says Morgan Stanley does not appear to have been tracking individual employee's activities from a baseline of "normal."
"This individual worked for the organization for a while before performing the exfiltration," he says. "They had time to establish a baseline, as well as compare his activity to that of his peers, to understand what would be normal. Had they done this, his deviation from that activity could be tracked quickly, potentially identifying malicious or unintentional activity that could cause the organization harm."
Cybersecurity expert Avivah Litan, an analyst at the consultancy Gartner, says many larger financial organizations have been working for years to enhance their internal and external fraud detection systems. Integrating and replacing legacy systems at these organizations with new technology takes time, she notes.
"Morgan Stanley has invested considerably in security," Litan says. "But they probably need to take advantage of newer machine learning and analytic techniques that correlate and prioritize alerts so that they detect the most egregious incidents and respond to them in a timely fashion. They also need to be sure they have visibility into all of their employees' activities, no matter where and how they access corporate servers and information. ... The technology is available today - it just needs to be put in place and used properly."
Eric Chiu, president of the security firm HyTrust, says most companies focus on external threats more than internal ones, which leaves them vulnerable to malicious insiders. "Given that insider threats are the primary cause of breaches today, companies have to do more to protect critical systems and data from the inside using access controls, role-based monitoring and encryption," he says.
The Case Against Marsh
Between October 2013 through December 2014, Marsh was exploring new job opportunities with two other financial institutions while he was stealing client data from Morgan Stanley, according to court documents.
Morgan Stanley said it discovered the breach after it found that data linked to approximately 900 of its clients had been posted briefly on the Internet. No Morgan Stanley clients lost money as a result of the breach, the company told Reuters this week.
"Morgan Stanley appreciates the efforts by the U.S. Attorney's Office and FBI that have led to the guilty plea of Galen Marsh," Morgan Stanley spokesman James Wiggins tells ISMG. "This action, which follows Morgan Stanley's initial investigation and reporting of his misconduct, makes clear that misuse of client account information will not be tolerated."
As part of his guilty plea, the court has asked Marsh to turn over the personal server and related equipment he used to facilitate his crime.
Marsh, whose sentencing is slated for Dec. 7, has agreed not to appeal any prison sentence of 37 months or shorter, Reuters reports.
Inscoe and Litan say the motivations that drive these types of insider schemes vary. Marsh told the court he transferred information to his server help him perform his job, Bloomberg reports.
"Employees who steal always rationalize their crimes," Inscoe says. "This enables them to continue to steal, even though they know what they are doing is wrong. They may steal because they have been passed over for a promotion, or because they feel they deserve as much money as wealthy clients have. They may tell themselves they aren't hurting anyone, or that they will pay the stolen funds back. Regardless, they are thieves."