Morgan Stanley Admits 350K Records Compromised by Rogue Employee

Morgan Stanley announced on Monday that it had fired a financial adviser after he allegedly stole data regarding 350,000 clients and posted some of that information online.

The wealth-management firm said there was no evidence of any economic loss to any client, but that account information of an estimated 900 clients was briefly posted on the Internet.

According to Morgan Stanley, as soon as the firm detected this exposure, the information was promptly removed.

Get LifeLock protection now.

The firm estimated that, overall, partial account information of up to 10 percent of its 3.5 million wealth-management clients was stolen. This data included account names, numbers and transactional information from customer statements, but not account passwords or Social Security numbers.

Authorities are questioning whether Morgan Stanley financial adviser Galen Marsh, 30, who worked out of the firm’s New York offices, was the one who posted clients’ account information on an information-sharing site Pastebin. The poster offered to trade the data for an obscure virtual currency known as Speedcoins, which is a Bitcoin knockoff.

Marsh’s lawyer Robert Gottlieb argues that his client indeed took the data but said he did not post it online, share it or try to sell it.

According to The Wall Street Journal, there was a Dec. 15 posting on the site Pastebin that boasted “about 6 000 000 account records” from Morgan Stanley and a vague offer to “buy data.” However, that posting, which has been taken down, did not trigger an alarm at Morgan Stanley. It was another posting on Dec. 27, which mentioned details regarding the account data of 1,200 clients, that sparked attention within the firm and prompted an immediate FBI investigation. The Financial Industry Regulatory Authority (FINRA) is also looking into the matter.

Following the breach, Marsh, who had worked for the firm since 2008, was questioned, fired and escorted out of the Morgan Stanley office to his home. Officials found Marsh had downloaded the same database that was posted online on his office computer and also discovered personal devices, including a computer and storage devices, that held client data at his home.

The Wall Street Journal noted, “it isn’t uncommon practice within the wealth-management industry to squirrel away information about clients before leaving for another firm, since a stable of wealthy clients is the lifeblood of any successful advisory practice.”

Morgan Stanley is taking the precaution of notifying all potentially affected clients and instituting enhanced security procedures including fraud monitoring on these accounts, according to a company-issued press release.

4 Million Members and Counting


"I almost lost my job because someone used my driver’s license and received 8 violations."
- Casey S.


"All of my personal information, even my social security card, was taken."- Jamie A.

It only takes minutes to sign up.

Start Your Membership