FTC investigation finds glitch to blame in Morgan Stanley data breach

Morgan Stanley will not be facing action from the Federal Trade Commission as a result of a client data breach in December that compromised information of some 350,000 clients, according to a letter made public on the FTC’s website Monday afternoon.
The FTC determined that the breach, which was quickly traced back to a former broker, Galen Marsh, had been made possible because of a glitch in Morgan Stanley’s data security controls, and not a failure on Morgan Stanley’s part to secure account information in a “reasonable and appropriate manner.”
“In this instance, our investigation determined that the Morgan Stanley employee was able to gain access to client data, despite such controls, because the access controls applicable to a narrow set of reports were improperly configured,” said Maneesha Mithal, associate director of the division of privacy and identity protection at the FTC, in the letter. “Morgan Stanley promptly fixed the problem when it came to the company’s attention.”
Otherwise, the firm had reasonable comprehensive policies in place, the FTC said. Brokers, for example, were not allowed to access personal data outside the specific clients they served, and the firm monitored the size and frequency of data transfers by employees and prohibited employee use of USBs and other devices to remove client data.
The FTC’s letter made no determination as to whether Mr. Marsh had violated any rules, or how exactly the information ended up on several websites.
The agency said it had determined that the data appeared online after “an employee misappropriated wealth management client information, transferring the data from the Morgan Stanley computer network to a personal website accessed at work, and then onto personal devices.”
It was initially suspected that Mr. Marsh may have posted the data online in exchange for virtual currencies such as Bitcoin. But his attorney, Robert C. Gottlieb of Gottlieb & Cordon, said his client had never posted the information, and in February, federal authorities were looking into the possibility that he had been targeted by hackers after he removed the client data from Morgan Stanley’s network. The New York Times reported that the Federal Bureau of Investigation had opened a criminal investigation and the Financial Industry Regulatory Authority Inc. was examining the matter.
According to Finra spokeswoman Nancy Condon, the agency has deferred to other regulators on this issue to avoid duplication.
A source familiar with the situation said other investigations into the breach were still ongoing. Mr. Gottlieb declined to comment.
Mr. Marsh was not specifically named in the FTC’s letter, but multiple sources confirmed on background that it was tied to the same case.
Mr. Marsh was fired January 2 for allegations that “accused him of removing certain confidential client account information from the firm without authorization,” according to his BrokerCheck report.
A spokeswoman for Morgan Stanley, Christine Jockle, said in an emailed statement that there was no evidence that any fraud had occurred in the affected client accounts and reiterated that the firm had acted quickly after it discovered the information had been leaked.
“Following the firm’s discovery of the incident, it quickly identified the employee who stole the data and terminated him,” Ms. Jockle wrote in an email. “The Firm promptly alerted law enforcement and regulators, notified affected clients, changed account numbers and offered identity protection services.”