January 8, 2015 By Jaikumar Vijayan 3 min read

The tale of former Morgan Stanley financial adviser Galen Marsh and his alleged improper access to records belonging to 350,000 of the firm’s wealthiest clients highlights why security managers consider insider threats to be one of their most intractable problems.

Data Theft

Marsh, an employee with Morgan Stanley’s Wealth Management group, was fired earlier this week for allegedly stealing what the company described as partial client data belonging to about 10 percent of its 3.5 million clients. The stolen information included account names, numbers and some transactional data from customer statements.

Information belonging to about 900 of those clients was later posted on Pastebin in December, along with instructions on how to purchase the data in its entirety by visiting a site that lets people buy and sell files anonymously. Marsh has reportedly admitted to accessing the client account data. However, several media outlets have quoted his lawyer as saying that his client did not post any data online, nor did he have any plans to sell the data. It remains unclear how Marsh was able to download the contents of the Wealth Management client database to his computer and then apparently transfer them to his personal computer, the Wall Street Journal noted.

According to Morgan Stanley, no account passwords or Social Security numbers were stolen, and there is no indication that any of the data that was accessed has been misused. The data posted on Pastebin was removed the same day, and the company has notified the appropriate law enforcement and regulatory authorities of the breach.

Morgan Stanley Motive a Mystery

The incident has garnered considerable attention for both its scope and for the relatively unusual circumstances surrounding the theft. Most incidents of insider theft involve individuals who are either disgruntled or seek to profit from the data in some way. In many cases, the theft happens after an employee leaves a company or just before the individual leaves to join or start another company.

For example, in 2010, a senior research chemist at DuPont was sentenced to 14 months in prison for stealing millions of dollars in trade secrets that he intended to use in a job with a new employer. That same year, Terry Childs, a systems administrator at the city of San Francisco, was sentenced to a four-year prison term for using his privileged access to lock city officials out of a key network for several days over a job-related dispute.

By most public accounts so far, none of these situations apply to Marsh, prompting some to wonder why he may have misappropriated the data.

Continuing Threat

Regardless of motive, the theft highlights the continuing threat enterprises face from authorized users. Over the years, numerous companies have experienced issues as a result of theft and inadvertent data exposure from employees and other authorized users, such as partners and suppliers.

Because most enterprise security efforts focus on stopping external attackers, companies seldom have the controls they need to monitor improper access to data and systems by authorized users. Employees and other authorized users often have far more access than they need to the network and data, and little effort is made to monitor for suspicious and inappropriate activity. In particular, employees in areas such as sales, financing and accounting have far too much access to customer information, intellectual property and other data.

“Determining who has access to critical enterprise data, how they are able to combine data to use in the course of their work and what they are able to do with it once they have access to it are all part of an overall security policy and its enforcement,” Steve Hultquist, chief technology officer at security analytics company RedSeal, said in an email to eSecurity Planet. “Building data and network security policies to thwart the likely approaches to steal information is a foundation for limiting possible damage” from insiders.

Image Source: Flickr

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today