Morgan Stanley (MS) discovered client data was stolen after someone posted information on 900 of its brokerage customers on the website Pastebin last month and asked potential buyers to pay for more with a virtual currency, according to a person briefed on the investigation.
The bank had the data removed promptly and notified law enforcement about the theft of information for as many as 350,000 wealth-management clients, the New York-based company said yesterday. The Dec. 27 Pastebin posting asked for 78,000 speedcoins in return for information on Morgan Stanley clients, according to the person, who asked not to be named because probes are under way.
Galen Marsh, the 30-year-old financial adviser who was fired by Morgan Stanley and accused of stealing the data, didn’t post the information online, share it with anyone nor intend to sell it, his lawyer said yesterday in a phone interview. Marsh, who joined the bank in 2008 and worked in New York, was dismissed last week.
Marsh “acknowledged that he should not have obtained the account information and has been cooperating with Morgan Stanley to protect the firm and its customers,” said the lawyer, Robert C. Gottlieb of Gottlieb & Gordon LLP. He declined to comment on why his client obtained the data.
While the bank said it hasn’t found evidence that customers lost money, it’s notifying all those potentially affected, about 10 percent of its wealth-management clients, and enhancing security on those accounts. The Federal Bureau of Investigation’s New York office is probing the incident, according to a person familiar with the matter.
The Pastebin post came two weeks after someone anonymously offered information including client passwords on that website, according to the person briefed on Morgan Stanley’s inquiry. Pastebin describes itself as a site where a user can store text online for a set period.
Speedcoin isn’t yet accepted as virtual currency, though a network is being built to allow that, according to the website speedcoin.co. One speedcoin is worth 0.00000013 bitcoin, making 78,000 speedcoins worth about $2.81, according to cryptonator.com, a website that tracks virtual currencies, and Bitstamp data compiled by Bloomberg.
E-mail addresses on the first Pastebin listing don’t appear to be linked to Marsh, according to the New York Times, which reported details of the postings yesterday.
The information that was stolen didn’t include passwords or Social Security numbers, Morgan Stanley said yesterday in a statement. The bank found the employee may have been seeking to sell the stolen information, though there was no evidence any third party received it, the person briefed on the matter said.