Morgan Stanley (MS) discovered client data was stolen after someone posted information on 900 of its brokerage customers on the website Pastebin last month and asked potential buyers to pay for more with a virtual currency, according to a person briefed on the investigation.
The bank had the data removed promptly and notified law enforcement about the theft of information for as many as 350,000 wealth-management clients, the New York-based company said yesterday. The Dec. 27 Pastebin posting asked for 78,000 speedcoins in return for information on Morgan Stanley clients, according to the person, who asked not to be named because probes are under way.
Galen Marsh, the 30-year-old financial adviser who was fired by Morgan Stanley and accused of stealing the data, didn’t post the information online, share it with anyone nor intend to sell it, his lawyer said yesterday in a phone interview. Marsh, who joined the bank in 2008 and worked in New York, was dismissed last week.
Marsh “acknowledged that he should not have obtained the account information and has been cooperating with Morgan Stanley to protect the firm and its customers,” said the lawyer, Robert C. Gottlieb of Gottlieb & Gordon LLP. He declined to comment on why his client obtained the data.
While the bank said it hasn’t found evidence that customers lost money, it’s notifying all those potentially affected, about 10 percent of its wealth-management clients, and enhancing security on those accounts. The Federal Bureau of Investigation’s New York office is probing the incident, according to a person familiar with the matter.
The Pastebin post came two weeks after someone anonymously offered information including client passwords on that website, according to the person briefed on Morgan Stanley’s inquiry. Pastebin describes itself as a site where a user can store text online for a set period.
Speedcoin isn’t yet accepted as virtual currency, though a network is being built to allow that, according to the website speedcoin.co. One speedcoin is worth 0.00000013 bitcoin, making 78,000 speedcoins worth about $2.81, according to cryptonator.com, a website that tracks virtual currencies, and Bitstamp data compiled by Bloomberg.
E-mail addresses on the first Pastebin listing don’t appear to be linked to Marsh, according to the New York Times, which reported details of the postings yesterday.
The information that was stolen didn’t include passwords or Social Security numbers, Morgan Stanley said yesterday in a statement. The bank found the employee may have been seeking to sell the stolen information, though there was no evidence any third party received it, the person briefed on the matter said.
Marsh joined Morgan Stanley as a sales assistant and last year was promoted to financial adviser, according to the person briefed on the matter. He previously worked at Bear Stearns Cos., Financial Industry Regulatory Authority records show.
He graduated in 2006 from Muhlenberg College in Allentown, Pennsylvania, where he played lacrosse, and went to Duke University’s Fuqua School of Business, according to his LinkedIn profile.
“Our systems detected this crime and we rapidly discovered its perpetrator,” Greg Fleming, president of Morgan Stanley’s wealth-management division, said in a memo to employees. “While the situation is disappointing, it is always difficult to prevent harm caused by those willing to steal.”
Regulators are pushing banks to be more vigilant about and hold capital against so-called operational risk, potential harm to a firm’s business or reputation from human error, external threats, fraud and litigation.
A hacking attack against JPMorgan Chase & Co. (JPM) last year compromised personal information of about 76 million households and 7 million small businesses.
In 2011, Morgan Stanley’s brokerage unit said unencrypted compact discs containing tax information for 34,000 clients were lost in transit to the New York State Department of Taxation and Finance. The firm said at the time it found no evidence the data were misused.
Morgan Stanley fell 3.1 percent to $37.50 in New York Monday, the most since October. The shares dropped 1.8 percent at 10:40 a.m. (ET )Tuesday.
To contact the reporter on this story: Michael J. Moore in New York at email@example.com To contact the editors responsible for this story: Peter Eichenbaum at firstname.lastname@example.org Steve Dickson