January 8, 2015 By Jaikumar Vijayan 3 min read

The tale of former Morgan Stanley financial adviser Galen Marsh and his alleged improper access to records belonging to 350,000 of the firm’s wealthiest clients highlights why security managers consider insider threats to be one of their most intractable problems.

Data Theft

Marsh, an employee with Morgan Stanley’s Wealth Management group, was fired earlier this week for allegedly stealing what the company described as partial client data belonging to about 10 percent of its 3.5 million clients. The stolen information included account names, numbers and some transactional data from customer statements.

Information belonging to about 900 of those clients was later posted on Pastebin in December, along with instructions on how to purchase the data in its entirety by visiting a site that lets people buy and sell files anonymously. Marsh has reportedly admitted to accessing the client account data. However, several media outlets have quoted his lawyer as saying that his client did not post any data online, nor did he have any plans to sell the data. It remains unclear how Marsh was able to download the contents of the Wealth Management client database to his computer and then apparently transfer them to his personal computer, the Wall Street Journal noted.

According to Morgan Stanley, no account passwords or Social Security numbers were stolen, and there is no indication that any of the data that was accessed has been misused. The data posted on Pastebin was removed the same day, and the company has notified the appropriate law enforcement and regulatory authorities of the breach.

Morgan Stanley Motive a Mystery

The incident has garnered considerable attention for both its scope and for the relatively unusual circumstances surrounding the theft. Most incidents of insider theft involve individuals who are either disgruntled or seek to profit from the data in some way. In many cases, the theft happens after an employee leaves a company or just before the individual leaves to join or start another company.

For example, in 2010, a senior research chemist at DuPont was sentenced to 14 months in prison for stealing millions of dollars in trade secrets that he intended to use in a job with a new employer. That same year, Terry Childs, a systems administrator at the city of San Francisco, was sentenced to a four-year prison term for using his privileged access to lock city officials out of a key network for several days over a job-related dispute.

By most public accounts so far, none of these situations apply to Marsh, prompting some to wonder why he may have misappropriated the data.

Continuing Threat

Regardless of motive, the theft highlights the continuing threat enterprises face from authorized users. Over the years, numerous companies have experienced issues as a result of theft and inadvertent data exposure from employees and other authorized users, such as partners and suppliers.

Because most enterprise security efforts focus on stopping external attackers, companies seldom have the controls they need to monitor improper access to data and systems by authorized users. Employees and other authorized users often have far more access than they need to the network and data, and little effort is made to monitor for suspicious and inappropriate activity. In particular, employees in areas such as sales, financing and accounting have far too much access to customer information, intellectual property and other data.

“Determining who has access to critical enterprise data, how they are able to combine data to use in the course of their work and what they are able to do with it once they have access to it are all part of an overall security policy and its enforcement,” Steve Hultquist, chief technology officer at security analytics company RedSeal, said in an email to eSecurity Planet. “Building data and network security policies to thwart the likely approaches to steal information is a foundation for limiting possible damage” from insiders.

Image Source: Flickr

More from

CISA chief AI officer follow-up: Current state of the role (and where it’s heading)

4 min read - At the beginning of August, CISA announced that it had appointed Lisa Einstein, Senior Advisor of its artificial intelligence division, as its new chief AI officer. This announcement came following several new initiatives in the last couple of years focused on gaining a clearer understanding of the potential security impacts of AI.With the National Cybersecurity Strategy and the supporting National Cybersecurity Strategy Implementation Plan still evolving, there has been increased awareness of the value of organizations establishing an executive seat…

Cybersecurity risks in healthcare are an ongoing crisis

4 min read - While healthcare providers have been implementing technical, administrative and physical safeguards related to patient information, they have not been as diligent in securing their medical devices. These devices are critical to patient care and can leave hospitals at risk for cyberattacks, causing major disruptions to patient care. In fact, 88 million individuals were affected by large breaches, compromising vast amounts of electronic protected health information (ePHI) last year according to the U.S. Department of Health & Human Services. This year,…

CVE backlog update: The NVD struggles as attackers change tactics

4 min read - In February, the number of vulnerabilities processed and enriched by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) started to slow. By May, 93.4% of new vulnerabilities and 50.8% of known exploited vulnerabilities were still waiting on analysis, according to research from VulnCheck.Three months later, the problem persists. While NIST has a plan to get back on track, the current state of common vulnerabilities and exposures (CVEs) isn't keeping pace with new vulnerability detections. Here's a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today