Insider leak: 350,000 financial accounts compromised

An employee at a branch office of a major financial institution has been fired for compromising 10% of its customers’ data. Here’s what you need to know to avoid a similar fate.

Morgan Stanley was conducting a routine review of websites to see if any of its information had been leaked. According to the Wall Street Journal, it discovered that nearly 900 of its customers’ financial information was being made available on Pastebin (the same site that was a dumping ground for the files from the Sony Pictures hack).

The source was found to be an employee who was recently promoted from being a trainee. He admitted to downloading client information, but denied posting it online. In either case, it was a violation of the company’s data transfer policies.

Insider threats

Malicious or not, this employee’s motives aren’t important any longer. The information is out there, and a company is left scrambling to control the damage. As Morgan Stanley points out, there’s been no indication so far that any of its customers have suffered financial damage, but losing data on 10% of clients is never going to be a victory in any way.

Now Morgan Stanley is left with several important questions:

  • How did one employee have access to download  10% of its customers’ info?
  • How did that information get online? and
  • Is there any more information still out there?

These are just a few of the headaches it’ll have to deal with – in addition to possible backlash from authorities or in the public eye.

Keys to prevent insider leaks

Some employees may not see anything wrong with taking work data. Others might think of it as a violation of policies, but not necessarily understand why those policies are in place.

It’s crucial to make the connection that not only is data security the rules of your department, it’s also critical to a business’s survival. Violations of these policies – whether they’re accidental or on purpose – will be dealt with seriously and could result in losing a job.

Other things to consider:

  • Ask employees what they do. Instead of telling users what not to do with data, ask them what they are doing with it. Send out surveys or talk with them one-on-one to see if they’re emailing work documents to personal accounts, using personal cloud storage accounts, etc. Chances are some of your users do – and may be so ignorant of policies they volunteer that information willingly.
  • Reevaluate privileges. Not all users need access to the same data. In fact, many think they actually have access to more data than they should. Now is a good time to re-evaluate who has access to sensitive information and how much they have vs. how much they need.
  • Focus on newer users. Training is crucial to making sure that data breaches don’t happen. If you hammer home the importance of securing and safely transferring information from the get-go, it’s more likely to stick long-term. Everyone needs to get the message, but the sooner it gets out, the better off IT will be.
  • Send the message from different levels. IT repeating the same data security message can get stale. Enlist the help of your HR department so employees are well aware of the consequences of violating your policies and the help of the top-level management so they know just how important it can be.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy