Morgan Stanley disclosed Monday it had suffered a cyber-security breach, saying an employee stole account information for up to 350,000 wealth-management clients and posted some of the data on a web site.
The employee has been fired and there is no evidence of any economic loss to any client, Morgan Stanley said in a news release. The Wall Street Journal identified the employee as Galen Marsh, a financial adviser who worked at a New York branch of Morgan Stanley’s wealth-management unit.
“Morgan Stanley takes extremely seriously its responsibility to safeguard client data, and is working with the appropriate authorities to conduct and conclude a thorough investigation of this incident,” the company said.
Bloomberg, citing a person familiar with the matter, reported that the FBI is investigating the breach. Morgan Stanley’s inquiry found the employee may have been seeking to sell the stolen information, though there was no evidence any third party received it, the source told Bloomberg.
“Regulators are pushing banks to be more vigilant about and hold capital against so-called operational risk, potential harm to a firm’s business or reputation from human error, external threats, fraud and litigation,” Bloomberg noted. Last year, a hacking attack on JPMorgan Chase compromised the personal information of about 76 million households.
Morgan Stanley said partial account information for up to 10% of wealth-management clients was stolen and certain data, including account names and numbers, of about 900 clients was briefly posted online. The firm “detected this exposure and the information was promptly removed,” it said.
All affected clients are being notified of the breach and Morgan Stanley is “instituting enhanced security procedures including fraud monitoring on these accounts.”
The data that was stolen did not include account passwords or Social Security numbers, the bank said. According to Bloomberg, bank account and credit-card data also were not compromised.
Marsh, 30, joined Morgan Stanley in 2008 and had been promoted from trainee less than a year ago, the WSJ said. In a statement, Marsh’s lawyer acknowledged that his client obtained the account information but denied that he posted any of it online or ever intended to sell it.