Federal authorities are probing whether a hacker is behind the
online publication of a cache of Morgan Stanley's client data--and
not the financial adviser who was fired in connection with the
breach, people familiar with the matter said.
This latest twist raises the possibility that the incident is
connected to larger cybersecurity concerns on Wall Street and isn't
an isolated episode tied solely to the questionable judgment of a
junior executive.
Morgan Stanley fired the adviser, Galen Marsh, last month after
he acknowledged accessing account information on 350,000 of the
firm's wealth-management clients and taking it home with him. His
firing occurred not long after details related to 1,200 accounts
were posted online along with an offer to sell a larger stash of
information.
Mr. Marsh, 30 years old, has denied posting any of the data
online or seeking to sell it.
Federal law-enforcement officials are focusing their probe on
the possibility that Mr. Marsh's computer was hacked.
It is unclear who might have been responsible for the hack.
Officials haven't arrested anyone in connection with their
investigation, which is continuing.
Meanwhile, pieces of the same cache of client information have
continued to surface online.
Since Morgan Stanley disclosed the breach, contacted the Federal
Bureau of Investigation and fired Mr. Marsh, the account
information has reappeared on several occasions, both in a public
feed found on Twitter and back on Pastebin, the text-sharing site
where Morgan Stanley had spotted its clients" information on Dec.
27. The more recent posts came from the same data set Mr. Marsh had
accessed at work, though they didn't match up exactly with the
1,200 accounts that appeared on Pastebin in December, a person
familiar with the matter said.
Morgan Stanley spotted the new postings and again took steps to
have them removed from public view. The firm is changing the
account numbers of those clients whose data were taken by Mr.
Marsh, beginning with those whose information appeared publicly,
and offering them credit and identity-theft protective services. No
clients have reported fraud as a result.
At least two Twitter users posted tweets in January inviting
viewers to access Morgan Stanley client data. One of those users
provided links to the "Morgan Stanley hacked files" on
filedropper.com. Then, on Jan. 31, a different Twitter account
published screenshots of what appear to be account information on
two Morgan Stanley clients, according to a cached version of the
Twitter feed.
The two clients told The Wall Street Journal they were contacted
soon after Mr. Marsh was fired but said they didn't know their
information was again posted online. One of them said their account
number had been changed; the other said the account in question had
been closed in 2014.
The data include client names and account numbers as well as
details on their investments. A person familiar with the matter
said the data found on the more-recent postings listed several
hundred accounts--far fewer than the 1,200 accounts--held by 900
clients--that appeared in late December.
Questions remain about the incident, including whether Mr.
Marsh's computer was possibly targeted because he worked for a
major Wall Street firm.
In the wake of the incident, Morgan Stanley tightened access to
its client database so that individual advisers no longer have
access to such wide swaths of account data.
Federal authorities also are continuing to look for answers on
why Mr. Marsh accessed the client information in the first place,
people familiar with the matter said.
Mr. Marsh told Morgan Stanley executives that he had accessed
the client information and stored it on his personal computer to
learn how successful advisers had built their customers"
portfolios, people familiar with the matter said. Morgan Stanley
executives believe he acted alone, one person said.
Federal investigators are seeking to determine whether Mr. Marsh
brought the data home in anticipation of a move by the team of
advisers with whom he had worked alongside for more than six years.
Mr. Marsh was a junior member of the 1211 Group, a successful
wealth-advisory office in Midtown Manhattan. The team had moved
together from Bear Stearns Cos. in 2008. Mr. Marsh was promoted
from trainee to full-fledged financial adviser in April.
A senior adviser on Mr. March's team, Mark Seruya, talked last
year to UBS AG about moving to the rival wealth manager, people
familiar with the matter said. In September, UBS sent Mr. Seruya a
letter of understanding outlining terms of his offer to join the
Swiss bank, one person said. Talks are no longer active and the
offer expired, the people said.
Mr. Seruya said through a Morgan Stanley spokesman that he had
discussions with UBS more than a year ago but decided not to
leave.
Mr. Marsh told Morgan Stanley executives he acted alone, people
familiar with the matter said. The New York-based firm hasn't taken
disciplinary action on any other employee in connection with the
client data breach.
Mr. Seruya managed $2.26 billion in client money as of October
2012, according to REP. magazine, which ranked him among their "Top
100 Wirehouse Advisors" that year.
Top advisers are in demand and routinely field inquiries from
recruiters. "Transition packages are at an all-time high," said
Mindy Diamond, president and chief executive at Diamond
Consultants, a recruiting firm that caters to wealth advisers.
"Every adviser--if one foot isn't already out the door--is
certainly exploring their options."
Access Investor Kit for Morgan Stanley
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US6174464486
Subscribe to WSJ: http://online.wsj.com?mod=djnwires