High net-worth clients targeted in Morgan Stanley breach

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

By Byron Aco­hi­do, ThirdCertainty

The shock­ing Mor­gan Stan­ley data breach should come to serve as a wake-up call for high net-worth individuals.

The New York Times is report­ing that a low-rank­ing Mor­gan Stan­ley finan­cial advis­er recent­ly pil­fered, then post­ed for sale account records, includ­ing pass­words, for six mil­lion of the Wall Street giant’s clients. The alleged per­pe­tra­tor has been fired and is being inves­ti­gat­ed by the FBI. And now Mor­gan Stan­ley must deal with the rep­u­ta­tion hit.

This is the lat­est, most vivid exam­ple of iden­ti­ty thieves culling the herd for vic­tims who enjoy high gross incomes and robust finan­cial portfolios.

More: A call for a data breach warn­ing label

But there is also a les­son in democ­ra­cy here. Oth­er than hav­ing fat­ter bank accounts, top paid exec­u­tives, rich investors and super­star ath­letes and enter­tain­ers are no dif­fer­ent than the rest of us. They patron­ize the same insti­tu­tions as we do for bank­ing, shop­ping, tax advice and med­ical atten­tion. And those orga­ni­za­tions are hav­ing a dev­il of a time secur­ing the data that fuels our Inter­net-cen­tric economy.

The expo­sure is huge,” observes Eric Chiu, cofounder and pres­i­dent of cloud secu­ri­ty ven­dor HyTrust. “If you think about every employ­ee at every com­pa­ny that stores sen­si­tive infor­ma­tion you’re talk­ing about a large set. And many cor­po­ra­tions are blind to the fact that the num­ber one threat is com­ing from the inside via an employ­ee or an imper­son­ator using sys­tem admin­is­tra­tor-lev­el credentials.”

Even after Edward Snow­den, many com­pa­nies have yet to review, much less imple­ment, sys­tems that can detect sus­pi­cious activ­i­ty inside the firewall.

In this case, Mor­gan Stan­ley dis­cov­ered their data out­side of the cor­po­rate envi­ron­ment, but seemed to react in a time­ly fash­ion and lim­it bad con­se­quences,” says Scott Haz­dra, prin­ci­pal secu­ri­ty con­sul­tant at risk man­age­ment firm Neo­hap­sis. “How­ev­er, it appears the alleged per­pe­tra­tor was not very sophis­ti­cat­ed or adept at hid­ing his activ­i­ties, where a more tal­ent­ed bad actor may have hid­den his tracks much more effectively.”

Crim­i­nals may vary in sophis­ti­ca­tion lev­el. But they all seem to be adept at spot­ting oppor­tu­ni­ty. Wealthy indi­vid­u­als usu­al­ly enjoy ster­ling cred­it rat­ings, main­tain a large num­ber of accounts that hold high amounts, and fail to take secu­ri­ty seri­ous­ly. They are ripe tar­gets for theft, scams and pub­lic humil­i­a­tion, depend­ing on the motives of the attacker.

The hack­ers respon­si­ble for the Sony Pic­tures hack dis­closed the salaries of more than 6,000 Sony Pic­tures employ­ees, includ­ing senior exec­u­tives. That includ­ed 3,803 employ­ees’ Social Secu­ri­ty num­bers, includ­ing all the company’s top exec­u­tives, accord­ing to this Fusion report.

And accused celebri­ty scam­mer George French Jones Jr. alleged­ly used iden­ti­ty theft trick­ery to car­ry out a scheme to dupe TV host Nick Can­non, for­mer NFL star quar­ter­back War­ren Moon and oth­er NFL and NBA ath­letes into buy­ing bogus shares in the Mia­mi Heat bas­ket­ball team, accord­ing this crim­i­nal complaint.

Then there are the old stand­by scams. Iden­ti­ty thieves obtained enough per­son­al infor­ma­tion about Kurt Cobain, Will Smith, George Lucas and oth­ers to access bank accounts and secure cred­it in their names.

Crim­i­nals are no dum­mies. They go where the mon­ey is. Finan­cial plan­ners and wealth man­agers who cater to high net-worth indi­vid­u­als are favorite targets—and, for now, easy marks.

Results from a recent Secu­ri­ties and Exchange Com­mis­sion study showed:

  • 78% of Invest­ment Firms do not fol­low IT Security/Compliance Benchmarks
  • 7% lacked a stand-alone cyber policy
  • 80–87% have not adopt­ed a for­mal inci­dent response plan
  • 60–69% lack a for­mal intru­sion detec­tion program

This is not a sit­u­a­tion that’s going to improve any­time soon. “A lot needs to be done,” says Chiu. “A big philo­soph­i­cal change has to hap­pen. A shift has to hap­pen where secu­ri­ty is no longer viewed as an insur­ance plan but as a part of doing business.”

More on emerg­ing best practices

3 steps for fig­ur­ing out if your busi­ness is secure

5 steps to secure cyr­tog­ra­phy keys, dig­i­tal certificates

6 steps for stop­ping hacks via a con­trac­tor or supplier

Posted in Cybersecurity, Data Breach, News & Analysis