On January 5th, I opened The New York Times and read the following: “In mid-December, a posting appeared on the Internet site Pastebin offering six million account records, including passwords and login data for clients of Morgan Stanley.
“Two weeks later, a new posting on the information-sharing site offered a teaser of actual records from 1,200 accounts, and provided a link for people interested in purchasing more…
“The offer was quickly taken down the same day, Dec. 27, after Morgan Stanley discovered the leak. In short order, the bank traced the breach to a financial advisor working out of its New York offices, a 30-year-old named Galen Marsh, according to a person involved in the investigation who spoke on the condition of anonymity.”
I immediately contacted a manager at the California office of Morgan Stanley where I have an account and a lot of questions, namely: what exactly happened, what data was taken, did this individual have access to my data and do I need to change account numbers?
She understood my questions, was aware of the breach and told me that the financial advisor, Galen Marsh, had been fired. Later, I received the following letter from Morgan Stanley.
“In late December 2014, we discovered a Morgan Stanley advisor had taken partial client account information of approximately 350,000 clients (10% of our total Wealth Management clients) and transferred it to his personal computer. Subsequently, the partial data of approximately 1,400 clients was briefly posted online in separate instances. We promptly detected the exposures and had the postings removed.
“Morgan Stanley immediately terminated the employee and referred the incident to law enforcement. Although the former employee has admitted taking the data, it’s not clear who posted it online. The former employee’s personal computer may have been hacked but Morgan Stanley’s system was not. A criminal investigation is ongoing. To date, no conclusion has been announced.
“No passwords or Social Security numbers were stolen. No client has suffered economic loss as a result of the theft. Morgan Stanley’s system was not hacked. There is no indication of any other data theft and no indication any other Morgan Stanley employees were involved.”
Regarding my question as to how a single employee could have access to so many client accounts, Morgan said that “Financial Advisors are authorized to access the data of their own clients. In this case, a former employee was able to gain unauthorized access to data in violation of our Firm’s policies and Code of Conduct. The two reports he accessed have been shut down.”
I placed a call to my Morgan Stanley broker. He assured me that the breach did not affect my accounts. If it had, he tells me that he would’ve been on the phone immediately to me. I asked him how often he undergoes compliance updates. His response, “It’s ongoing. There are a variety of compliance modules that he must complete. The training is on a weekly basis.”
At the end of the day, it’s about trust – trusting my own advisor and the people that work in his group, and the best way to assure that trust is by having ongoing conversations. In the entire time I have been with my financial advisors, there has never been a time when they were not available to answer any and all questions, or refer me to the individual that could.
As cyber attacks become more prevalent, it’s incumbent on all of us to be alert and question all individuals we trust with our information – financial, medical and personal.