Morgan Stanley said on Monday it had fired an employee who allegedly stole account information from about 350,000 of its wealth management clients and posted some of it online.
There is no evidence that clients lost money as a result of the latest breach of customer information at a financial firm, Morgan Stanley said in a statement.
The bank discovered the theft as part of a routine Internet sweep on Dec. 27 and quickly got the information taken down, a person familiar with the matter said.
The employee appeared to be looking to sell the data, which pertained to about 10 percent of Morgan Stanley’s 3.5 million clients, the person said. He published information on about 900 accounts as an apparent advertisement, the person said.
The leaked information included names and account numbers, but not passwords or Social Security numbers.
The account numbers have since been changed, and Morgan Stanley has been notifying affected clients.
Morgan Stanley’s investigation into the matter is ongoing, and the bank declined to name the employee or the website. It has referred the matter to regulators and law enforcement authorities, who are conducting separate investigations.
The Financial Industry Regulatory Authority and U.S. Securities and Exchange Commission did not immediately respond to requests for comment. The Department of Justice also had no immediate response to requests for comment but a person with knowledge of the matter said the FBI was looking into the alleged theft of Morgan Stanley’s client data.
The Manhattan District Attorney’s Office declined to comment.
Shortly after Morgan Stanley announced the breach in a press release, Gregory Fleming, president of the wealth management business, issued a memo that said the bank is offering affected clients additional monitoring and fraud protection services at no charge.
Data security has become an increasingly big risk and budget item for major financial firms in recent years. Though the focus has largely been on risks posed by external hackers, some experts say inside sources can be just as big of a threat.
It was not immediately clear how the Morgan Stanley employee was able to breach compliance protocol to steal the client information and post it on the Web.
The person familiar with the matter, who was not authorized to speak publicly, said the former employee used an outside application to post the data externally. The bank has since restricted employee access to that application.
(Reporting by Tanya Agrawal and Lauren Tara LaCapra; Editing by Sriraj Kalluvila and Tom Brown)