Wall Street giant Morgan Stanley says a financial advisor at the firm’s New York City headquarters has admitted to stealing client information pertaining to roughly 350,000 customers after some of those records ended up on the web.
The employee, 30-year-old Galen Marsh, told Bloomberg News through an attorney on Monday that he “acknowledged that he should not have obtained the account information and has been cooperating with Morgan Stanley to protect the firm and its customers.”
Morgan Stanley routinely checks the internet to make sure sensitive information isn’t leaked, Reuters reported on Monday, and learned on December 27 that a trove of data pertaining to around 900 clients had been publicly posted on the website Pastebin.com. Marsh, who joined the bank in 2008, was terminated from his role last week, according to multiple news reports, and told Bloomberg through attorney Robert C. Gottlieb that he is "extremely sorry for his conduct,” but did not post the files to Pastebin.
News of the breach and Marsh’s termination first became public on Monday this week after Morgan Stanley announced in a press release that the firm had earlier that day started advising wealth management clients in regards to the breach.
“While there is no evidence of any economic loss to any client, it has been determined that certain account information of approximately 900 clients, including account names and numbers, was briefly posted on the Internet before being removed. Morgan Stanley detected this exposure and the information was promptly removed,” the statement reads in part.
It’s since been reported by Bloomberg that the 900 clients whose records were released represented only a fraction of the 350,000 customers whose details were compromised, although the firm admitted in Monday’s statement that the stolen data does not include account passwords or Social Security numbers.
“Mr. Marsh did not sell nor ever intend to sell any account information whatsoever,” Gottlieb, his lawyer, told Michael J. Moore at Bloomberg Businessweek. “He did not post the information online. He did not share any account information with anyone nor use it for any financial gain.”
Whoever did post the data on Pastebin, however, did so with the apparent aim of profit. According to The New York Times, the original posting contained a teaser of the actual records, along with a link where a larger cache was allegedly available in exchange for Speedcoin – a type of obscure digital cryptocurrency.
Justin Baer, a reporter for The Wall Street Journal, described the breach as being “potentially the largest data theft at a wealth-management firm.” Multiple media outlets have reported that the Federal Bureau of Investigation has opened a criminal probe into the manner, citing anonymous sources.
“Morgan Stanley takes extremely seriously its responsibility to safeguard client data, and is working with the appropriate authorities to conduct and conclude a thorough investigation of this incident,” the company said.
Morgan Stanley’s stock fell 3.1 percent on Monday – to $37.50 in New York – according to Bloomberg, signaling the biggest drop for the firm since October. As of early Tuesday afternoon, the company’s value had yet to recover from the previous day’s downturn.