Important News You Might Have Missed: Former Morgan Stanley Financial Adviser Sentenced
Out just days before Christmas (December 22, 2015), the FBI issued a press release announcing that Galen Marsh was sentenced to three years’ probation and ordered to pay $600,000 in restitution for obtaining confidential client information from his employer, Morgan Stanley. He had gained unauthorized access to certain of Morgan Stanley’s computer systems.
In January 2015, Galen Marsh as fired by Morgan Stanley after it accused him of stealing account data on about 350,000 clients and posting some of that information for sale online, in potentially the largest data theft at a wealth-management firm.
Marsh admitted to obtaining the account information and confirmed that he was fired. But his attorney said Mr. Marsh didn’t post the data online, and wasn’t seeking to sell it.
The Wall Street Journal reported at the time, “Morgan Stanley said its employee downloaded information on about 10% of its wealth-management clients, totaling about 350,000. The bank said that on Dec. 27 it discovered data related to about 900 of its client accounts during a routine review of public websites known to traffic in such information. The data, which included account names and numbers, states of residence and asset values, appeared on the Internet “briefly,” the firm said Monday in a statement.”
The FBI was called to investigate the situation and questioned quickly whether a hacker was behind the posting of data —and not the financial adviser who was fired in connection with the breach. “This latest twist raises the possibility that the incident is connected to larger cybersecurity concerns on Wall Street and isn’t an isolated episode tied solely to the questionable judgment of a junior executive,” according to a February Wall Street Journal article.
Was Marsh targeted by the hacker? Was he seeking new employment so stole the Intellectual Property? Or was Marsh truly researching how successful advisers had built their customers’ portfolios?
Regardless of the motive, the fallout of Marsh for viewing and copying account information on other advisers’ clients is an important case in stolen data. First, it clearly was bad news for Marsh who is out a job, has $600,000 due in restitution fees and is on probation. Next, Morgan Stanley had to fight fires with client data appearing not just the once, but continuing to pop up on various sites.
This situation is a great reminder of how we all store and allow access of our sensitive information – client data (social security numbers, financial information, personally identifiable information) and our intellectual property (IP). We are not just protecting against external threats, but instead need to protect against insider attacks.
“Many executives don’t fully appreciate that their biggest risk can come from within. Malicious internal actors can endanger not only a company’s financial and reputational health, but also the physical safety of their staff. Recent events—multi-million dollar employee fraud, high-profile intellectual property theft, and the attacks in San Bernardino— have made it clear that events like the Edward Snowden data leaks or the Washington Navy Yard shootings were not anomalies,” said Scott Weber, Managing Director at Stroz Friedberg. He continued:
“While organizations have bolstered their cybersecurity plans to protect their most sensitive proprietary information in response to potential external breaches, insider risks haven’t been addressed with the same attention and care. They’re the loss that nobody wants to talk about publicly, and many organizations go to great lengths to conceal the existence and ramifications of inside bad actors. But these risks can be some of the most damaging to an organization: one 2015 Intel Security study found that insiders account for 43% of all data loss.”
Furthermore, a Symantec survey found that half of employees admit to taking corporate data with them when they transfer jobs and 40% say they plan to use the information at their new organization. Yet 56% don’t realize it’s a crime to use those trade secrets. Galen Marsh’s sentencing provides more evidence that this could happen to any of us.
How to protect against insider threats
Protecting against insider threats requires technology that can secure access and offer data security. Organizations need to adopt the principles of zero trust to combat malicious insiders on the network level. Individuals should only ever have access to the resources they need to do their job, and this should only ever be granted in reasonable contexts. Otherwise, there’s nothing stopping them from spending their downtime trawling entire network segments for sensitive information.
To avoid data breaches caused by careless behavior, organizations need strong content-level security. By tracking, restricting access to and potentially encrypting files that contain sensitive information, they can mitigate the consequences of misdirected emails and similar incidents. Better still, if this process is automated, they can remove the scope for human error from the equation entirely.