Schedule Demo
Cyber Security 2 Minute Read

Bringing your work home with you? What could possibly go wrong..?

Featured image: Morgan Stanley Name on Door - Read full post: Bringing your work home with you? What could possibly go wrong..?

U.S. v. Marsh, U.S. District Court for the Southern District of New York, No. 15-641

In the U.S. a financial adviser at Morgan Stanley has pleaded guilty to illegally accessing the bank’s computers and taking the information home with him. 

From 2011 onwards, 31-year-old Galen Marsh made thousands of unauthorised searches of confidential information on the firm’s computer systems using the identification numbers of other Morgan Stanley branches, groups and advisers. He then uploaded the data, containing client names, addresses, account numbers and investment information relating to 730,000 accounts to a personal server at his home.

The information was subsequently hacked and details related to 1,200 Morgan Stanley clients appeared on Pastebin (a text-sharing website) in December 2014 and also on Twitter in early 2015. Marsh was fired in January of this year and pleaded guilty in September to one felony count of exceeding his authorised access to a computer at his place of employment. He has since stated that he accessed the information in question in order to assess how other advisers managed clients’ money. Morgan Stanley has also stated that although up to 10% of their wealth management clients were affected, none suffered any financial loss from the security breach.

In a recent court document filed ahead of his sentencing hearing, Marsh’s lawyers wrote that “based upon conversations with representatives of Morgan Stanley, we learned that hackers emanating from Russia were suspected of posting the information and offering to sell it online.” The same document also states that investigators had determined that his home computer server had been “compromised” between Oct. 6 and Oct. 31, “only a few weeks before the client data appeared on the Internet.”

The FBI stated during the trial that Marsh's guilty plea "should send a message to those who inappropriately obtain and mishandle sensitive information that such actions may not just be improper, they can also be criminal." 

Marsh will be sentenced on December 17th and is expected to spend 3 years in jail.