How Safe is Your Data?

Published: March 30, 2015

By Jim Lichtman
Read More

On January 5th, I opened The New York Times and read the following: “In mid-December, a posting appeared on the Internet site Pastebin offering six million account records, including passwords and login data for clients of Morgan Stanley.

“Two weeks later, a new posting on the information-sharing site offered a teaser of actual records from 1,200 accounts, and provided a link for people interested in purchasing more…


“The offer was quickly taken down the same day, Dec. 27, after Morgan Stanley discovered the leak. In short order, the bank traced the breach to a financial advisor working out of its New York offices, a 30-year-old named Galen Marsh, according to a person involved in the investigation who spoke on the condition of anonymity.”

I immediately contacted a manager at the California office of Morgan Stanley where I have an account and a lot of questions, namely: what exactly happened, what data was taken, did this individual have access to my data and do I need to change account numbers?

She understood my questions, was aware of the breach and told me that the financial advisor, Galen Marsh, had been fired. Later, I received the following letter from Morgan Stanley.

“In late December 2014, we discovered a Morgan Stanley advisor had taken partial client account information of approximately 350,000 clients (10% of our total Wealth Management clients) and transferred it to his personal computer. Subsequently, the partial data of approximately 1,400 clients was briefly posted online in separate instances. We promptly detected the exposures and had the postings removed.

“Morgan Stanley immediately terminated the employee and referred the incident to law enforcement. Although the former employee has admitted taking the data, it’s not clear who posted it online. The former employee’s personal computer may have been hacked but Morgan Stanley’s system was not. A criminal investigation is ongoing. To date, no conclusion has been announced.

“No passwords or Social Security numbers were stolen. No client has suffered economic loss as a result of the theft. Morgan Stanley’s system was not hacked. There is no indication of any other data theft and no indication any other Morgan Stanley employees were involved.”

Regarding my question as to how a single employee could have access to so many client accounts, Morgan said that “Financial Advisors are authorized to access the data of their own clients. In this case, a former employee was able to gain unauthorized access to data in violation of our Firm’s policies and Code of Conduct. The two reports he accessed have been shut down.”

I placed a call to my Morgan Stanley broker. He assured me that the breach did not affect my accounts. If it had, he tells me that he would’ve been on the phone immediately to me. I asked him how often he undergoes compliance updates. His response, “It’s ongoing. There are a variety of compliance modules that he must complete. The training is on a weekly basis.”

At the end of the day, it’s about trust – trusting my own advisor and the people that work in his group, and the best way to assure that trust is by having ongoing conversations. In the entire time I have been with my financial advisors, there has never been a time when they were not available to answer any and all questions, or refer me to the individual that could.

As cyber attacks become more prevalent, it’s incumbent on all of us to be alert and question all individuals we trust with our information – financial, medical and personal.


  1. Excellent essay. Thank you Jim. I recently became concerned about the same issue…Identification hacking, as it had occurred at Target and even Anthem Blue Cross and the Morgan Stanley of your story.

    Following the advertisements, I went online to “Life-Lock” and started the application, endorsed by the gurus of radio and TV with a 10% discount using their names. I discovered that EVERY SINGLE ASPECT of my finance, from social security number to bank account numbers to mortgage number to VA payments to car-loans and even CD numbers were required, and in frozen FEAR, backed out. “What”, I thought, “would prevent some Life-Lock employee from taking MY sensitive data and hacking me from Inside?”

    And a neighbor, with “LL ultimate plan,” leased an automobile three months ago and LL NEVER contacted him to ask if it was “really his.” Googling LL “complaints” comes up with similar scenarios of non-contact for big purchases, but to be fair, NOT one hacking from inside. Yet.

    I have NOT been able to find any attorney, CPA or other financially-educated individual who can give me a solid answer.

    I believe this: Have ONE credit card and check your statement. If fraud, you are covered. Shred anything with your numbers, accounts and balances, and, as one friend told me, “I always put a phony social number on a doctor acquaintance sheet.” (But Linda, they copied your Medicare card…that’s the social.) Hey Jim….people need to be ALERT. Thanks for the tip and advice.

Leave a Comment

Read More Articles
The Latest... And Sometimes Greatest