BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Puzzle Forms in Morgan Stanley Data Breach

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 6 Jan 2015 19:23:29 -0700
http://www.wsj.com/articles/puzzle-forms-in-morgan-stanley-data-breach-1420590326

Last summer, a newly minted Morgan Stanley financial adviser named Galen
Marsh started to sift through the account records of some 350,000 of the
firm’s clients. Virtually none of them were his own.

By December, some of that account information appeared on a text-sharing
website, with the offer to trade it for an obscure virtual currency.
Shortly after Morgan Stanley discovered the posting, it fired the
30-year-old Mr. Marsh and triggered a Federal Bureau of Investigation probe
into how the records ended up online.

In what some security experts are saying is likely the biggest data theft
at a wealth-management firm, some facts aren’t in dispute: Mr. Marsh’s
lawyer has said that his client downloaded the account information and that
he was subsequently fired by Morgan Stanley.

But a mystery remains about whether Mr. Marsh posted the information online
and, if so, why he would risk his career.

Already, the episode is having ramifications within Morgan Stanley: On
Tuesday, people familiar with the matter said the firm has tightened access
to its client database so that individual advisers no longer have access to
such wide swaths of account data. It also hired an outside consulting firm
to increase its capacity to take calls from clients concerned about the
breach and provide credit and identity-theft protective services.

Mr. Marsh’s lawyer Robert Gottlieb says the matter is an employment dispute
and denies that Mr. Marsh posted the information online or ever tried to
sell it.

It isn’t uncommon in the wealth-management industry for advisers to
squirrel away information about clients before leaving for another firm,
since a stable of wealthy clients is the lifeblood of any successful
advisory practice.

But Mr. Marsh, who had been promoted from trainee last April, wasn’t facing
any disciplinary action, and had no reason to believe his position at
Morgan Stanley was in jeopardy before he was confronted about the data he
had downloaded, according to a person familiar with the matter.

However, Morgan Stanley officials believe the trail to the data posted
online leads back to Mr. Marsh, according to people familiar with the
matter.

The data appeared as a posting on Pastebin on Saturday, Dec. 27. The
posting was created anonymously, without a Pastebin user account, an
official with the text-sharing service said.

Morgan Stanley officials picked up on the posting early that morning after
it triggered an alert by a routine surveillance of a number of websites
that traffic in sensitive information, according to people familiar with
the matter.

Later that day, Morgan Stanley officials alerted Pastebin that the posting
contained client information and requested its removal. The site complied
and by Monday the posting was down, the people said. In the coming days,
Morgan Stanley would come back to Pastebin with additional removal
requests, the site official said.

By Saturday afternoon, many of Morgan Stanley’s top executives, including
Chairman and Chief Executive James Gorman , were briefed on what the firm’s
security and tech teams had uncovered.

A Dec. 15 posting touted “about 6 000 000 account records” from Morgan
Stanley, along with a vague offer to “buy data.” That posting, which
appears to have been taken down, didn’t trigger an alarm at Morgan Stanley.
The Dec. 27 posting was far more explicit, providing details on 1,200
accounts, and instructing would-be buyers to a different website, gourl.io,
where data can be exchanged for virtual currencies. The poster was asking
for 78,000 speedcoins, a type of virtual currency, people familiar with the
matter said.

Speedcoin is one of a number of digital currencies that are similar to
bitcoin.

The morning of Dec. 27, Morgan Stanley also alerted the FBI.

As the Morgan Stanley officials looked through the firm’s computer system
to figure out if anyone had accessed a cache of data that would have
included the details found on Pastebin, they got one hit: Galen Marsh, the
people said.

On Sunday, the firm’s employees accessed Mr. Marsh’s office computer and
found that he had downloaded the same database, the people said. On Monday,
Morgan Stanley officials approached Mr. Marsh at his Midtown Manhattan
office and quizzed him on their findings, the people said.

In that conversation, Mr. Marsh conceded he had accessed the client
information but maintained that he hadn’t posted any of it online or
intended to sell the data, the people said.

Morgan Stanley security officials then escorted Mr. Marsh to his home,
where they took a computer and storage devices that also held client data.
The firm is still investigating how Mr. Marsh allegedly transferred the
data to his personal devices, the people said.

Morgan Stanley’s office computers typically don’t have a port to accept
external hardware devices, and Mr. Marsh didn’t send it to himself by
email, the people said.

Mr. Marsh studied at Muhlenberg College, where he played lacrosse and met
his wife. He joined Morgan Stanley as a sales assistant in 2008 after
spending several months at John Paulson ’s hedge-fund firm and then Bear
Steans Cos., the investment bank that sold itself to J.P. Morgan Chase &
Co. during the financial crisis.

He got married in August 2013. Eight months later, he was promoted from
trainee to full-fledged financial adviser.

One clue to the mystery could reside at Pastebin: The site has a record of
the anonymous poster’s IP address, but won’t share it unless a court order
compels them to, the Pastebin official said. Besides, he said, it is very
possible the address would be traced to a proxy service used in part to
mask the real poster’s identity.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: