Thousands and thousand of times: a tale of an insider data breach

Morgan Stanley was fined $1m for failing to protect private customer data

Eleonore Fournier-Tombs, RedOwl field data scientist, ponders the curious case of Galen Marsh, who stole masses of data from his former employee, Morgan Stanley, by using a very simple hack of the client data management system.

In a climactic conclusion to an insider threat story that has been developing since 2015, Morgan Stanley agreed to pay a fine of $1 million to the US Securities and Exchange Commssion (SEC) for failing to protect private customer data.

The leak in question took place between 2011 and 2014, as a former Morgan Stanley employee, Galen Marsh, downloaded the bank’s client information onto his personal computer using a very simple hack of the client data management system. His personal computer was then allegedly accessed by an unknown third-party hacker who posted the information on the public code sharing site Pastebin.

Morgan Stanley itself discovered the breach during a security sweep on Pastebin, and traced the information back to Marsh, who was terminated, criminally charged and fined in 2015.

Early threat detection
Marsh conducted at least 6,000 searches on the client management system to download 730,000 customer account details. These queries were built by entering Morgan Stanley Smith Barney (MSSB) Branch IDs, which he had access to, and then entering different financial advisory numbers until he obtained the correct combination. The information was then downloaded to his personal computer, rather than a Morgan Stanley issued machine.

Let’s break down the scenario in which Marsh was apprehended the first time that he downloaded client data onto his personal computer. This happened in 2011. Marsh had been working at Morgan Stanley since 2008 and was familiar with their client management system.

He was presumably downloading data from an account on which he was working, when he realised that he was able to change the filters on the system. Perhaps he did this at work and waited until he was at home to login again from his personal computer. After this discovery, he took actions that would have raised the following flags in an alert system.

1. Logged in from a personal computer: by itself, a low risk – yellow.
2. After logging in, selected a Branch ID which he was not assigned to: immediate red flag.
3. Fiddled with the financial advisory numbers until he found the correct one: orange, could happen, but presumably not more than once during a session.
4. Downloaded the data onto his personal machine – immediate red flag, presumably no one should download anything from the client management system unless it is on a Morgan Stanley machine.
5. Presumably repeated steps 2, 3 and 4 several times until he logged out for the night: a layered alert showing increasing counts of suspicious actions.

Ultimately, Marsh undertook these actions thousands and thousands of times during the course of his employment. That’s terrifying to security teams, understandably so. Had Morgan Stanley been monitoring for these items, using a centralised platform for the analysis of login data and client management system activity (including where the downloads were going), a security analyst could have received an alert showing the layering of these threat events – producing a very high-risk score.

Although it’s clear that the client management system could have been secured better, a high-risk activity alert could have informed Morgan Stanley of the breach at the very beginning of this activity, and allowed it to rectify the situation before it escalated to hundreds of thousands of customers.

Could the third-party hacker have been apprehended earlier?
The fact that Morgan Stanley found the hack itself shows that it was, in fact, conducting some security controls.

Pastebin, a platform that was initially created to allow developers to easily share and store code, is now a known repositories for illegally obtained information, such as credit card numbers, bank account names and social security numbers. Lately, Pastebin has been associated with Anonymous, Guardians of the Peace and DemonSec, all of which have had run-ins with the FBI.

As part of their daily security practices, banks should certainly scour the internet for their clients’ personally identifiable information (PII). However, once the data has been sold or shared online, the breach has already taken place. It’s more effective, therefore, to catch an insider threat in the early stages of a hack, particularly one which seemed to have taken place so systematically and for so long.

Online hacks are the bank heists of old. The Identity Theft Center lists 454 data breaches so far in 2016 in the United States, with over 12 million people exposed. However, where there is a higher incidence of breaches, there is also a higher potential for apprehension. Companies are analysing logins, print logs, remote access, web access, and painting a vivid picture of insider threats and how they are operating. In fact, the FBI found in 2014 that most data breaches were caused by disgruntled employees, not external hackers.

We don’t know Marsh’s motivations – was he disgruntled, angry, or seeking retribution? It’s not even clear what he intended to do with the data he stole. What is certain, though, is that all of his actions left telling fingerprints, and that if only the light had been angled correctly, they would have begun to glow.