When multinational financial services firm Morgan Stanley discovered that a rogue employee had stolen confidential details of 350,000 of its clients, it took swift action by terminating the financial advisor’s employment and disclosing the news publicly.
Although there is no evidence of financial losses to customers, Morgan Stanley has notified the relevant law enforcement agencies and is informing all potentially affected customers.
On 27 December 2014 the bank discovered that more 900 names and transaction details of wealth management clients had been posted to Pastebin by an employee. Wealth management clients are hot property for cyber criminals and, when exploited, can result in very lucrative returns. Two weeks earlier, the same employee had posted an offer on the site for six million account records, including passwords and login details. It appears the employee was hoping to sell the details in return for the relatively unknown virtual currency Speedcoin.
Morgan Stanley has been praised for speaking openly about the fact that insiders can breach an organisation’s security. The firm has also been lauded for its vigilance in acting promptly, tracking down the perpetrator and taking the necessary remedial action.
The New York Times reports that financial firms often struggle to deal with the insider threat because it is a challenge to recognise whether an employee is pulling data for legitimate or nefarious reasons.
The insider threat can wreak havoc with a company’s financial performance and reputation. A resilient organisation is one that meets its objectives in the face of changing risk environments and potential business disruption.
vsRisk™, the leading information security risk assessment software, can support your organisation in executing a robust risk assessment at a fraction of the cost of hiring a consultant, and speeds up the process dramatically. Helping you identify the potential risks your organisation could face, vsRisk also provides you with the relevant recommended controls, including those of NIST SP 8000-53, ISO27001 and the PCI DSS, to ensure your risk assessment reflects international best practice.