Morgan Stanley terminated one of its financial advisors accused of stealing and selling the account data of approximately 350,000 clients online, according to report from the Wall Street Journal based on information from a person familiar with the situation.
The person said Morgan Stanley terminated the employment of Galen Marsh who was working at the bank’s branch in Midtown Manhattan.
A post on the website Pastebin was seen indicating that around 6 million account data of the clients of Morgan Stanley were for sale on December 15.
After two-weeks, a new posting on the site showed that the actual number of account data for sale was 1,200. Interested parties were directed to a link where they can purchase the data from a website that sells digital files and accepts virtual currencies such as Bitcoin as payment. Morgan Stanley’s clients’ data were being sold using Speedcoin, a more obscure digital currency than Bitcoin.
Morgan Stanley said none of its clients were financially harmed
Morgan Stanley discovered the data breach involving 900 of its client accounts during a routine review of public websites on December 27. According to the bank, the data that appeared briefly online included account names and numbers, states of residence and asset values.
According to Morgan Stanley, it is still investigating the incident and none of its clients were financially harm. The person familiar with the situation said the bank is trying to find out how Mr. Marsh obtained clients’ data of such volume.
In a memo, Gregory Fleming, president of wealth management unit at Morgan Stanley said, “It is important to note that 90% of our clients are unaffected and, for those impacted, there is no evidence that critical data such as Social Security numbers or account passwords were exposed or taken.”
Morgan Stanley’s employee denies selling clients’ data
Mr. Robert Gottlieb, a lawyer representing Mr. Marsh said his client already suffered the severe consequences of his actions after his employment was terminated.
Mr. Gottlieb also clarified that Mr. Marsh “did not sell nor ever intended to sell any account information. He did not post the information online. He did not share any account information with anyone. He did not use it for any financial gain. He is devastated by what has occurred and is extremely sorry for his conduct.”
Morgan Stanley reported that incident to regulators and law-enforcement authorities including the Federal Bureau of Investigation (FBI) and the Financial Industry Regulatory Authority (FINRA).