The tale of former Morgan Stanley financial adviser Galen Marsh and his alleged improper access to records belonging to 350,000 of the firm’s wealthiest clients highlights why security managers consider insider threats to be one of their most intractable problems.

Data Theft

Marsh, an employee with Morgan Stanley’s Wealth Management group, was fired earlier this week for allegedly stealing what the company described as partial client data belonging to about 10 percent of its 3.5 million clients. The stolen information included account names, numbers and some transactional data from customer statements.

Information belonging to about 900 of those clients was later posted on Pastebin in December, along with instructions on how to purchase the data in its entirety by visiting a site that lets people buy and sell files anonymously. Marsh has reportedly admitted to accessing the client account data. However, several media outlets have quoted his lawyer as saying that his client did not post any data online, nor did he have any plans to sell the data. It remains unclear how Marsh was able to download the contents of the Wealth Management client database to his computer and then apparently transfer them to his personal computer, the Wall Street Journal noted.

According to Morgan Stanley, no account passwords or Social Security numbers were stolen, and there is no indication that any of the data that was accessed has been misused. The data posted on Pastebin was removed the same day, and the company has notified the appropriate law enforcement and regulatory authorities of the breach.

Morgan Stanley Motive a Mystery

The incident has garnered considerable attention for both its scope and for the relatively unusual circumstances surrounding the theft. Most incidents of insider theft involve individuals who are either disgruntled or seek to profit from the data in some way. In many cases, the theft happens after an employee leaves a company or just before the individual leaves to join or start another company.

For example, in 2010, a senior research chemist at DuPont was sentenced to 14 months in prison for stealing millions of dollars in trade secrets that he intended to use in a job with a new employer. That same year, Terry Childs, a systems administrator at the city of San Francisco, was sentenced to a four-year prison term for using his privileged access to lock city officials out of a key network for several days over a job-related dispute.

By most public accounts so far, none of these situations apply to Marsh, prompting some to wonder why he may have misappropriated the data.

Continuing Threat

Regardless of motive, the theft highlights the continuing threat enterprises face from authorized users. Over the years, numerous companies have experienced issues as a result of theft and inadvertent data exposure from employees and other authorized users, such as partners and suppliers.

Because most enterprise security efforts focus on stopping external attackers, companies seldom have the controls they need to monitor improper access to data and systems by authorized users. Employees and other authorized users often have far more access than they need to the network and data, and little effort is made to monitor for suspicious and inappropriate activity. In particular, employees in areas such as sales, financing and accounting have far too much access to customer information, intellectual property and other data.

“Determining who has access to critical enterprise data, how they are able to combine data to use in the course of their work and what they are able to do with it once they have access to it are all part of an overall security policy and its enforcement,” Steve Hultquist, chief technology officer at security analytics company RedSeal, said in an email to eSecurity Planet. “Building data and network security policies to thwart the likely approaches to steal information is a foundation for limiting possible damage” from insiders.

Image Source: Flickr