Internet site Pastebin offering six million account records, including passwords and login data for clients of Morgan Stanley.
Two weeks later, a new posting on the information-sharing site offered a teaser of actual records from 1,200 accounts, and provided a link for people interested in purchasing more, according to a person briefed on the matter. The link pointed to a website that sells digital files for virtual currencies like Bitcoin. In this case, the files were being sold for a more obscure currency, Speedcoin.
The offer was quickly taken down the same day, Dec. 27, after Morgan Stanley discovered the leak. In short order, the bank traced the breach to a financial adviser working out of its New York offices, a 30-year-old named Galen Marsh, according to a person involved in the investigation who spoke on the condition of anonymity.
Mr. Marsh, who had been with Morgan Stanley since 2008, was quickly fired and is currently the subject of a criminal investigation by the Federal Bureau of Investigation, a person briefed on the investigation said. The Financial Industry Regulatory Authority is also examining the matter.
Morgan Stanley said on Monday that it had determined that Mr. Marsh took data on about 10 percent of its 3.5 million wealth management customers, including transactional information from customer statements.
The bank said that Mr. Marsh did not take any sensitive passwords or Social Security numbers, and that it had not found any evidence that the breach resulted in any losses to customers. A lawyer for Mr. Marsh, Robert C. Gottlieb, acknowledged on Monday that his client did take the information in question but said that he did not post it online, share it or try to sell it.
The case, though, points to the variety of threats banks face as they try to safeguard sensitive customer data.
While foreign hackers have been responsible for attacks on JPMorgan Chase and Nasdaq, among others, the vulnerability at Morgan Stanley was an employee at the firm. Financial firms have struggled to deal with inside threats because it can be hard to differentiate between employees pulling data for legitimate purposes and those using it for nefarious reasons.
The case could be damaging for Morgan Stanley because the firm has become increasingly reliant on the success of its wealth management division as it has de-emphasized riskier trading. The company’s stock ended down more than 3 percent on Monday.
Morgan Stanley worked back to Mr. Marsh from the information that was posted publicly on Pastebin, a site that allows for the easy and anonymous publication of large amounts of data.
The first advertisement of Morgan Stanley data was on Dec. 15, and it directed people interested in buying the data to two email addresses, neither of which appear to be related to Mr. Marsh.
The Dec. 15 posting did not reveal any actual client data, but boasted of the array of information available, including “account records and other data.”
Twelve days later, a different item provided a sample of the information that was available, giving details from 1,200 accounts that Morgan Stanley said were tied to 900 clients.
The item directed interested buyers to gourl.io, a website that advertises itself as a “crypto-currency payment gateway,” allowing digital files to be sold anonymously.
The Morgan Stanley documents were offered for 78,000 Speedcoins, a relatively new virtual currency that is not yet big enough to have a readily available exchange rate.
Mr. Marsh, who attended Muhlenberg College in Pennsylvania, was hired by Morgan Stanley as a sales assistant in 2008, after brief stints at Bear Stearns and the hedge fund manager Paulson & Company, according to regulatory filings.
Working out of Morgan Stanley’s offices on Sixth Avenue in Manhattan, Mr. Marsh rose to become a full financial adviser in March 2014.
Mr. Marsh was fired last week, according to a person at the firm.
Mr. Gottlieb said that Mr. Marsh had acknowledged “that he should not have obtained the account information and has been cooperating with Morgan Stanley to protect the firm and its customers.”
Mr. Gottlieb added: “To be clear, Mr. Marsh did not sell or ever intend to sell any account information to anyone. He did not post the information online; he did not share any account information with anyone or use it for any personal financial gain. He is devastated by what has occurred and is extremely sorry for his conduct.”
(the new york times)