Insider Threatshigh

Morgan Stanley Financial Advisor Steals 730,000 Client Records

A Morgan Stanley financial advisor downloaded 730,000 client account records — account names, numbers, and investment values — onto personal devices and leaked portions online before being arrested.

Morgan Stanley·2015·2 min read

Background

Galen Marsh was a financial advisor at Morgan Stanley with legitimate access to client account data as part of his job. Between 2011 and 2014, he used that access to systematically transfer client data to a personal server. In 2015, portions of the data appeared online on Pastebin.

The Attack

Marsh transferred client records to his home server over a three-year period, accessing data well beyond what was operationally necessary for his client base. The data included account numbers, balances, and personal information. When portions appeared on Pastebin in January 2015, Morgan Stanley detected the leak. Investigation revealed the broader exfiltration. Marsh claimed the data was later stolen from his personal server by an unknown hacker before being posted online.

Response

Morgan Stanley fired Marsh and notified 900 clients whose data appeared in the Pastebin posts. The company notified all 730,000 affected clients and offered identity protection services. Marsh pleaded guilty to theft of confidential client data. He was sentenced to three years of probation and a $600,000 fine.

Outcome

The case highlighted that financial advisors have legitimate access to large amounts of client data that can be misused. The three-year exfiltration period without detection demonstrated inadequate data access monitoring. The case preceded GDPR and contributed to financial services regulators strengthening expectations around insider data theft monitoring.

Key Takeaways

  1. Financial advisors' data access must be scoped to clients they actively serve — not the entire database
  2. Anomalous large-volume client data access patterns must trigger alerts regardless of the employee's legitimate access level
  3. Data sent to personal devices or servers from work systems must be detected and blocked by DLP tools
  4. A three-year exfiltration without detection represents a monitoring failure — user and entity behaviour analytics (UEBA) can catch this
financial dataclient recordsdata theftfinancial advisorpersonal server

More in Insider Threats

2013critical

Edward Snowden and the NSA: The Insider Who Changed the World

2 min readInsider Threats
2010critical

Chelsea Manning: 750,000 Military Documents and Diplomatic Cables Released to WikiLeaks

2 min readInsider Threats
2018high

Tesla IP Theft: Engineer Emails 26,000 Confidential Files Before Joining Competitor

2 min readInsider Threats