Data Breach , Insider Threat , Risk Management
Prosecutors Sought Prison Time for Theft of 730K Customers' Data
The former Morgan Stanley financial adviser who in September pleaded guilty to stealing confidential customer information and saving it on his home server will not serve time in prison.
On Dec. 22, Galen Marsh was sentenced to three years' probation and ordered to pay $600,000 in restitution. Marsh was also ordered to forfeit certain computer hardware that he used to export and store sensitive and confidential customer information, according to a statement from the U.S. Attorney's Office for the Southern District of New York.
See Also: Breach Prevention: Hunting for Signs of Compromise
Prosecutors had sought a sentence of more than three years in prison, according to Reuters.
Marsh's Data Theft
Between June 2011 and December 2014, Marsh, who worked in Morgan Stanley's private wealth management division, conducted nearly 6,000 unauthorized searches of confidential client information and then uploaded information about 730,000 of those clients to a server at his home in New Jersey, according to court records. In January, after Morgan Stanley found that data about some 900 of its clients had briefly been posted online, Marsh was fired.
The financial services firm has said that it is not aware of any clients who have been impacted by fraud or have lost money because of the breach.
Marsh later admitted in court that he illegally accessed accountholders' names, addresses and other personal information, along with investment values and earnings. But he said he never posted anything online. A computer forensics investigation into the data theft later confirmed that Marsh's home network and server had been hacked, court records note.
"The government confirms that Mr. Marsh's home server, on which Mr. Marsh had saved the client data, had been compromised between Oct. 6, 2014, and Oct. 31, 2014, only a few weeks before the client data appeared on the Internet," a Dec. 1 sentencing memorandum filed by Marsh's attorney states. "It is probable that the client data was extracted from Mr. Marsh's home as a result of outside hackers. In fact, based upon conversations with representatives of Morgan Stanley, we learned that hackers emanating from Russia were suspected of posting the information and offering to sell it online."
Prosecutors say that Marsh accessed the information to use it for his personal advantage. They say he was engaged in discussions regarding potential employment with two other financial institutions that compete with Morgan Stanley. Marsh had contended he accessed the information to analyze how other advisers managed clients' money so he could do a better job, court records state.
In announcing the sentence that did not include prison time, U.S. District Judge Kevin Duffy warned Marsh "to expect the roof to fall in" if he violates any terms of the probation, Bloomberg reports. "I will hit you with everything possible," Judge Duffy said, according to Bloomberg. "I'll make sure you spend your time in one of the worst places I can find."
Reaction to Sentencing
Financial fraud expert Avivah Litan, says the sentencing seems fair, although the exposure of sensitive customer data will have long-lasting effects.
"We need a method to quantify the potential damage so we can take the guesswork out of it," she says. "Hopefully the laws will keep up with the crimes in this new cyber-era."
Penalties need to be in line with the potential damage these data breaches cause, she adds.
Attorney Chris Pierson, chief security officer at invoicing and payments provider Viewpost, says data theft by disgruntled employees is on the rise, highlighting the need for more stringent cybersecurity and internal auditing controls (see Insider Lessons from Morgan Stanley Breach).
"Courts and prosecutors are trying to keep pace with whether this is unauthorized access under CFAA [Computer Fraud and Abuse Act] or an issue of internal policy violation," Pierson says. "No matter which, the act of taking what is not yours is a wrong that is further blurred in the access-anywhere-on-any-device environment of the current technology state. Companies try to implement controls to identify when these acts occur, but due to the expanse of data storage options and locations, it is a constantly evolving challenge. Technology and controls can do little when internal moral compasses go awry."