Morgan Stanley, a leading global financial services firm, has confirmed a partial client data leak.
According to a statement published on the firm’s website, an employee posted approximately 900 wealth management clients’ account information, including names and numbers, for a brief period online.
At this time, only non-sensitive information is believed to have been leaked. “[T]here is no evidence that critical data such as social security numbers or account passwords were exposed or taken,” reads an internal memo from the bank’s head of wealth management Gregory Fleming, reported the Wall Street Journal.
Morgan Stanley has since removed the data from the web, fired the financial advisor responsible for the incident, and begun notifying clients.
Ken Westin, Senior Technical Marketing Manager and Security Analyst at Tripwire, praised Morgan Stanley for its response time: “The firm was able to quickly detect the compromise and act quickly to mitigate the potential damage to the clients affected.”
Morgan Stanley has attributed the leak to one Galen Marsh, who may have been looking to sell the client data online.
In Westin’s words, “The motives of the employee who misappropriated the wealth management client data are unclear, but at this time, it does not look like it was out of malice or an attempt to commit a crime.”
It is believed that Mr. Marsh took the data of approximately 350,000 wealth management clients in total.
Marsh is a prime example of the damage that can be wrought by insider threats.
“This case shows the importance of limiting access to sensitive data on a need to know basis, as well as the value of having tools in place to detect potential compromise of customer data,” said Westin.
“Managing who has access to sensitive data within an organization is a challenge many organizations face, but it is a particularly thorny issue in financial services where the leak of information can have devastating effects on a client and their trust of the organization they are working with.”
The FBI is currently investigating the incident.