Last week, Morgan Stanley fired one of its financial advisors after accusing him of stealing the account information of 350,000 clients and posting the information for sale on the Internet. The Wall Street Journal calls the incident, “potentially the largest data theft at a wealth-management firm.”
The bank discovered the breach on December 27 after finding data from 900 client accounts posted on a website with a reputation of trafficking in personal information. Morgan Stanley fired Galen Marsh the suspected advisor, who worked at a Manhattan branch of the bank, according to the Wall Street Journal.
After reviewing the situation further, Morgan Stanley found that Marsh had downloaded the information of about 10% of its wealth-management clients—a total of about 350,000 records. The company is investigating how an employee was able to gain access to information for such a large number of clients.
Morgan Stanley says no clients were financially harmed by the breach. The bank handed the situation off to law-enforcement and regulatory bodies for further investigation.
The breach joins the list of several huge data breaches and cyber attacks committed in 2014, causing business leaders to realize the growing importance of data security. The risk is especially high for wealth management firms, who are often responsible for clients with balances of millions of dollars.
While it’s significant for Morgan Stanley clients that no Social Security numbers were compromised, an email address and phone number can still give fraudsters a doorway to more information. The biggest risk in these situations is usually phishing—a crime where thieves contact victims pretending to be their bank to ask them leading questions for more personal information.
Hackers could write an email that looks like it’s from Morgan Stanley, asking users to log in for more information about the data breach. By following the link and logging in to the fake bank site, users could give their bank account information to fraudsters.
It’s important to never give personal information to someone claiming to be from your bank—either by email or over the phone. If you receive a call or email from your bank, you should contact your bank directly to find out if the information is really needed.