FTC investigation finds glitch to blame in Morgan Stanley data breach

Morgan Stanley won't face Federal Trade Commission action as a result of a data breach that compromised information of some 350,000 clients.
JUN 02, 2015
Morgan Stanley will not be facing action from the Federal Trade Commission as a result of a client data breach in December that compromised information of some 350,000 clients, according to a letter made public on the FTC's website Monday afternoon. The FTC determined that the breach, which was quickly traced back to a former broker, Galen Marsh, had been made possible because of a glitch in Morgan Stanley's data security controls, and not a failure on Morgan Stanley's part to secure account information in a “reasonable and appropriate manner.” “In this instance, our investigation determined that the Morgan Stanley employee was able to gain access to client data, despite such controls, because the access controls applicable to a narrow set of reports were improperly configured,” said Maneesha Mithal, associate director of the division of privacy and identity protection at the FTC, in the letter. “Morgan Stanley promptly fixed the problem when it came to the company's attention.” Otherwise, the firm had reasonable comprehensive policies in place, the FTC said. Brokers, for example, were not allowed to access personal data outside the specific clients they served, and the firm monitored the size and frequency of data transfers by employees and prohibited employee use of USBs and other devices to remove client data. The FTC's letter made no determination as to whether Mr. Marsh had violated any rules, or how exactly the information ended up on several websites. The agency said it had determined that the data appeared online after “an employee misappropriated wealth management client information, transferring the data from the Morgan Stanley computer network to a personal website accessed at work, and then onto personal devices.” It was initially suspected that Mr. Marsh may have posted the data online in exchange for virtual currencies such as Bitcoin. But his attorney, Robert C. Gottlieb of Gottlieb & Cordon, said his client had never posted the information, and in February, federal authorities were looking into the possibility that he had been targeted by hackers after he removed the client data from Morgan Stanley's network. The New York Times reported that the Federal Bureau of Investigation had opened a criminal investigation and the Financial Industry Regulatory Authority Inc. was examining the matter. According to Finra spokeswoman Nancy Condon, the agency has deferred to other regulators on this issue to avoid duplication. A source familiar with the situation said other investigations into the breach were still ongoing. Mr. Gottlieb declined to comment. Mr. Marsh was not specifically named in the FTC's letter, but multiple sources confirmed on background that it was tied to the same case. Mr. Marsh was fired January 2 for allegations that “accused him of removing certain confidential client account information from the firm without authorization,” according to his BrokerCheck report. A spokeswoman for Morgan Stanley, Christine Jockle, said in an emailed statement that there was no evidence that any fraud had occurred in the affected client accounts and reiterated that the firm had acted quickly after it discovered the information had been leaked. “Following the firm's discovery of the incident, it quickly identified the employee who stole the data and terminated him,” Ms. Jockle wrote in an email. “The Firm promptly alerted law enforcement and regulators, notified affected clients, changed account numbers and offered identity protection services.”

Latest News

The fight over the CFPB is just beginning
The fight over the CFPB is just beginning

Locked out of their offices and told to stay home, employees at the Consumer Financial Protection Bureau have asked the courts to intervene as Elon Musk and Republican leaders move to shut down the agency that was established to protect people from predatory lending and financial scams.

Business-focused wealth tech RISR lands $8B Wealthcare Capital Management partnership
Business-focused wealth tech RISR lands $8B Wealthcare Capital Management partnership

Fintech platform interVal has also introduced a new feature to help advisors support entrepreneurial business owner clients better.

LPL boosts revenue potential with amped-up alts platform
LPL boosts revenue potential with amped-up alts platform

Along with greater revenue, alternative investments also carry risks, one industry lawyer noted.

How SageSpring Wealth Partners' next-gen strategy has fueled its success
How SageSpring Wealth Partners' next-gen strategy has fueled its success

President Jeff Dobyns unpacks the strategic power of mentorship, what makes an "ideal team player," and how the firm's 89 percent success rate has paid off for veteran advisors.

Powell heads for hot-seat hearings with ongoing pressure from Trump policies
Powell heads for hot-seat hearings with ongoing pressure from Trump policies

The Fed chair is in for some "hyper-charged" meetings, with legislators likely to raise questions on tariff threats and apparent steps to comply with anti-DEI orders.

SPONSORED Taylor Matthews on what's behind Farther's rapid growth

From 'no clients' to reshaping wealth management, Farther blends tech and trust to deliver family-office experience at scale.

SPONSORED Why wealth advisors should care about the future of federal tax policy

Blue Vault features expert strategies to harness for maximum client advantage.