Morgan Stanley financial advisor Galen Marsh downloaded personal and sensitive account data for 350,000 clients of the firm.  Essentially none of these clients were his own. A few weeks ago in December 2014, these data started showing up on Pastebin, a website popular with data thieves and other illegal operators.  The anonymous data leaker offered to trade more data in exchange for a payoff in virtual currency.  Morgan Stanley detected the breach, subsequently fired the 30-year-old advisor and the FBI has opened an investigation.

One startling aspect of this data breach is the seemingly weak information security at Morgan Stanley.  One of the basic tenets of this space is “access control” — each employee’s access should be restricted to the data he or she needs to operate.  In this case, Mr. Marsh should have had access to only the handful of clients that he supported, not 350,000!

Marsh admitted to downloading data for 350,000 clients but denies posting it online.  Morgan Stanley is trying to understand how Marsh transferred the data offsite.

In response to this breach, Morgan Stanley reportedly tightened security to its client database, hired an outside call center to handle the surge of inbound calls from clients concerned about the breach, and is offering credit and identify theft services to impacted parties.

Source: WSJ