Faulty Access Controls Led to Morgan Stanley Data Breach: FTC

The Federal Trade Commission has closed its investigation of Morgan Stanley's massive data breach. It has identified the problem that allowed the breach to happen: access controls to a narrow set of reports were improperly configured.

According to Morgan Stanley, advisor Galen Marsh in December stole account records for 350,000 of its wealth management clients and posted 900 of those records online. The records were posted to Pastebin, an online bulletin board where anyone can anonymously post plain text.

The bank said it caught this breach within hours, quickly fired Marsh and the account information was wiped off Pastebin. Morgan Stanley also shut down the software that the employee used to access the records.

The FTC determined that Morgan Stanley "had established and implemented comprehensive policies designed to protect against insider theft of personal information." Additionally, Morgan Stanley "promptly fixed the problem" that had allowed the rogue employee to gain access to client data.

In an emailed statement, Morgan Stanley said it "promptly alerted law enforcement and regulators, notified affected clients, changed account numbers and offered identity protection services. We worked quickly to mitigate the issue and implemented enhanced security safeguards. There is no evidence of fraud occurring on the affected client accounts as a result of this incident."

Although the FTC closed the investigation, the commission said it "reserves the right to take such further action as the public interest may require."

Andy Peters writes about regional banks, consumer finance and debt collections for American Banker. 

Read more:

• UBS Lures Away Morgan Advisors With $480 Combined AUM
• Wealth Profits Soar 20% at Morgan Stanley
• Data Breach: What to Do If Clients Are Federal Employees