Morgan Stanley says wealth management employee stole client data
(Reuters) -- Morgan Stanley has fired an employee for allegedly stealing account information from as many as 350,000 of its wealth management clients and posting some of it on the Internet, the bank said in a statement on Monday.
The bank discovered the theft and disclosure of some of the client data on a website on Dec. 27 as part of a routine Internet sweep and quickly got the information taken down, a person familiar with the matter said.
Morgan Stanley said there is no evidence any clients lost money as a result of the data breach and that sensitive information like passwords or Social Security numbers was not included in the online post.
The former employee publicized information of about 900 clients, including names and account numbers, in what appeared to be an advertisement to sell data to a party who would be willing to pay for it, the person said.
Account numbers for the 900 clients have since been changed, and Morgan Stanley has been notifying affected clients about the data theft.
Morgan Stanley's investigation into the matter is ongoing, and the bank declined to name the employee or the website. It has referred the matter to regulators and law enforcement authorities, who are conducting separate investigations.
While the former employee posted some data on about 900 wealth management clients, he downloaded more information on about 350,000, or around 10 percent of the bank's total.
Data security has become an increasingly big risk and budget item for major financial firms in recent years. Though the focus has largely been on risks posed by external hackers, some experts say inside sources can be just as big of a threat.
For instance, the cybersecurity firm Norse says it suspects a Sony insider might have helped launch the recent attack that led to the disclosure of embarrassing internal emails, among other data.
It was not immediately clear how the Morgan Stanley employee was able to breach compliance protocol to steal the client information and post it on the Web.
The person familiar with the matter, who was not authorized to speak publicly, said the former employee used an outside application to post the data externally. The bank has since restricted employee access to that application.