High net-worth clients targeted in Morgan Stanley breach
By Byron Acohido, ThirdCertainty
The shocking Morgan Stanley data breach should come to serve as a wake-up call for high net-worth individuals.
The New York Times is reporting that a low-ranking Morgan Stanley financial adviser recently pilfered, then posted for sale account records, including passwords, for six million of the Wall Street giant’s clients. The alleged perpetrator has been fired and is being investigated by the FBI. And now Morgan Stanley must deal with the reputation hit.
This is the latest, most vivid example of identity thieves culling the herd for victims who enjoy high gross incomes and robust financial portfolios.
But there is also a lesson in democracy here. Other than having fatter bank accounts, top paid executives, rich investors and superstar athletes and entertainers are no different than the rest of us. They patronize the same institutions as we do for banking, shopping, tax advice and medical attention. And those organizations are having a devil of a time securing the data that fuels our Internet-centric economy.
“The exposure is huge,” observes Eric Chiu, cofounder and president of cloud security vendor HyTrust. “If you think about every employee at every company that stores sensitive information you’re talking about a large set. And many corporations are blind to the fact that the number one threat is coming from the inside via an employee or an impersonator using system administrator-level credentials.”
Even after Edward Snowden, many companies have yet to review, much less implement, systems that can detect suspicious activity inside the firewall.
“In this case, Morgan Stanley discovered their data outside of the corporate environment, but seemed to react in a timely fashion and limit bad consequences,” says Scott Hazdra, principal security consultant at risk management firm Neohapsis. “However, it appears the alleged perpetrator was not very sophisticated or adept at hiding his activities, where a more talented bad actor may have hidden his tracks much more effectively.”
Criminals may vary in sophistication level. But they all seem to be adept at spotting opportunity. Wealthy individuals usually enjoy sterling credit ratings, maintain a large number of accounts that hold high amounts, and fail to take security seriously. They are ripe targets for theft, scams and public humiliation, depending on the motives of the attacker.
The hackers responsible for the Sony Pictures hack disclosed the salaries of more than 6,000 Sony Pictures employees, including senior executives. That included 3,803 employees’ Social Security numbers, including all the company’s top executives, according to this Fusion report.
And accused celebrity scammer George French Jones Jr. allegedly used identity theft trickery to carry out a scheme to dupe TV host Nick Cannon, former NFL star quarterback Warren Moon and other NFL and NBA athletes into buying bogus shares in the Miami Heat basketball team, according this criminal complaint.
Then there are the old standby scams. Identity thieves obtained enough personal information about Kurt Cobain, Will Smith, George Lucas and others to access bank accounts and secure credit in their names.
Criminals are no dummies. They go where the money is. Financial planners and wealth managers who cater to high net-worth individuals are favorite targets—and, for now, easy marks.
Results from a recent Securities and Exchange Commission study showed:
- 78% of Investment Firms do not follow IT Security/Compliance Benchmarks
- 7% lacked a stand-alone cyber policy
- 80–87% have not adopted a formal incident response plan
- 60–69% lack a formal intrusion detection program
This is not a situation that’s going to improve anytime soon. “A lot needs to be done,” says Chiu. “A big philosophical change has to happen. A shift has to happen where security is no longer viewed as an insurance plan but as a part of doing business.”
More on emerging best practices