January 8, 2015 By Jaikumar Vijayan 3 min read

The tale of former Morgan Stanley financial adviser Galen Marsh and his alleged improper access to records belonging to 350,000 of the firm’s wealthiest clients highlights why security managers consider insider threats to be one of their most intractable problems.

Data Theft

Marsh, an employee with Morgan Stanley’s Wealth Management group, was fired earlier this week for allegedly stealing what the company described as partial client data belonging to about 10 percent of its 3.5 million clients. The stolen information included account names, numbers and some transactional data from customer statements.

Information belonging to about 900 of those clients was later posted on Pastebin in December, along with instructions on how to purchase the data in its entirety by visiting a site that lets people buy and sell files anonymously. Marsh has reportedly admitted to accessing the client account data. However, several media outlets have quoted his lawyer as saying that his client did not post any data online, nor did he have any plans to sell the data. It remains unclear how Marsh was able to download the contents of the Wealth Management client database to his computer and then apparently transfer them to his personal computer, the Wall Street Journal noted.

According to Morgan Stanley, no account passwords or Social Security numbers were stolen, and there is no indication that any of the data that was accessed has been misused. The data posted on Pastebin was removed the same day, and the company has notified the appropriate law enforcement and regulatory authorities of the breach.

Morgan Stanley Motive a Mystery

The incident has garnered considerable attention for both its scope and for the relatively unusual circumstances surrounding the theft. Most incidents of insider theft involve individuals who are either disgruntled or seek to profit from the data in some way. In many cases, the theft happens after an employee leaves a company or just before the individual leaves to join or start another company.

For example, in 2010, a senior research chemist at DuPont was sentenced to 14 months in prison for stealing millions of dollars in trade secrets that he intended to use in a job with a new employer. That same year, Terry Childs, a systems administrator at the city of San Francisco, was sentenced to a four-year prison term for using his privileged access to lock city officials out of a key network for several days over a job-related dispute.

By most public accounts so far, none of these situations apply to Marsh, prompting some to wonder why he may have misappropriated the data.

Continuing Threat

Regardless of motive, the theft highlights the continuing threat enterprises face from authorized users. Over the years, numerous companies have experienced issues as a result of theft and inadvertent data exposure from employees and other authorized users, such as partners and suppliers.

Because most enterprise security efforts focus on stopping external attackers, companies seldom have the controls they need to monitor improper access to data and systems by authorized users. Employees and other authorized users often have far more access than they need to the network and data, and little effort is made to monitor for suspicious and inappropriate activity. In particular, employees in areas such as sales, financing and accounting have far too much access to customer information, intellectual property and other data.

“Determining who has access to critical enterprise data, how they are able to combine data to use in the course of their work and what they are able to do with it once they have access to it are all part of an overall security policy and its enforcement,” Steve Hultquist, chief technology officer at security analytics company RedSeal, said in an email to eSecurity Planet. “Building data and network security policies to thwart the likely approaches to steal information is a foundation for limiting possible damage” from insiders.

Image Source: Flickr

More from

Government cybersecurity in 2025: Former Principal Deputy National Cyber Director weighs in

4 min read - As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should…

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today