Inside Job: Morgan Stanley Hack Paints Troubling Portrait for HR and IT

When the thief is in the next cubicle, what’s HR to do?

By Aliah D. Wright Jan 12, 2015
Reuse Permissions

Two days after Christmas, financial services corporation Morgan Stanley discovered that Internet data had been stolen on 350,000 clients and attributed the theft to one of its employees. The employee was subsequently fired. Although he has not been charged, the employee is reportedly under investigation by the FBI.

It’s a tale that could send shivers down the spine of any employer tasked with keeping customer and employee data safe.

How could such a thing happen and what can HR do to ensure employees aren’t stealing corporate data?

The Details

According to news reports, Morgan Stanley does not know how the 30-year-old financial advisor obtained and posted client names and account numbers to the website Pastebin. When the firm discovered the breach, the information was removed. Account passwords and Social Security numbers were not posted, it said.

A spokesman for the bank told the Associated Press that the employee was likely trying to sell the information online and listed the partial information as a “sneak peek.”

In a release, the company stated it “is taking the precaution of notifying all potentially affected clients and instituting enhanced security procedures, including fraud monitoring on these accounts.”

But is that enough?

No, experts say. Employers should use this as a teachable moment and be proactive so more breaches of this kind do not occur—the risk of which can be reduced by limiting employee access to sensitive data.

“HR (and often the department heads, too) can work more closely to define and communicate access rights” to sensitive information, said Deena Coffman, chief executive officer of IDT911 Consulting, a data risk consultancy, in an e-mail interview with SHRM Online. “With this collaboration and the right toolset, companies can apply access controls that restrict employees to just the information they need to perform [their jobs],” she continued.

Experts add that companies should monitor their systems and be on alert when there has been any inappropriate access into those systems.

In addition, the different departments within a company should work on communicating more efficiently. “Historically, IT and information security departments have been frustrated by a lack of real-time communication from HR on what employee groups are supposed to access, and on changes in roles or employment status of employees,” said Coffman, who was formerly chief operating officer for the cybersecurity and information assurance practice at Johnson & Johnson.

“Without being told, IT has little choice but to allow access for fear of irritating a customer [or employee] unnecessarily,” she said. “Without the structured process for communicating changes quickly, a terminated employee or contractor will retain access. Under this scenario, even the best technical tools can fail.”

The Enemy Inside

According to Verizon’s 2014 Data Breach Investigations Report, the majority of data attacks are “perpetrated by external actors, as opposed to employees and partners.” Still, almost one-fifth (19 percent) of data attacks last year were attributable to “insider misuse,” the report stated.

“Many … inside attacks are IT employees with elevated [or administrative] privileges and little to no oversight on how and when those privileges are used,” said Coffman. “IT should be required to only use elevated privileges when necessary and the use of those privileged accounts should be monitored and logged. Separation of duties should be required on certain functions and an outside review is recommended annually.”

Privileged account management technology tools are also an option, she said.

This includes tools that:

  • Restrict: Prohibit an employee from taking an action without in some way first obtaining permission or authorization from some person or other entity.
  • Monitor: Operate automated programs that observe all system or application events.
  • Log: Create a summary list of selected system or application events.
  • Audit: Create trusted audit trails of configuration events that occur within a system or application.
  • Alert: An automated program sends a message to designated recipients when a particular pre-defined log or audit event occurs.

Verizon suggests companies prevent insider data breaches by:

  • Knowing where their data is and who has access to it.
  • Reviewing user accounts and identifying who has access to sensitive data, then by implementing a process for revoking access when an employee leaves the company or switches roles.
  • Knowing when data leaves the company by setting up controls to see when data is transferred out of the organization.
  • Distributing anonymous results of audits. When employees see that actions against data breaches are enforced and policed, that may deter theft of information.

In 2014, the average data breach cost corporations $3.5 million, according to the Ponemon Institute, a research center dedicated to privacy, data protection and information security policy.

That number is expected to increase in 2015, said Erik Knight, president of SimpleWan, a Phoenix-based provider of cloud-based security firewalls.

“It’s no different from this and the Edward Snowden situation,” said Knight, a 20-year veteran of the security and technology industry, during a telephone interview with SHRM Online. Snowden, a computer programmer, leaked the National Security Agency’s classified surveillance data, which he obtained while working there as a subcontractor.

“What it comes down to is procedures and really vetting your individuals,” Knight said.

But what if an employee’s history record is spotless or if he has a limited work history?

That’s when segmented access becomes especially important.

“The best thing to do is segment your different infrastructures … and don’t give one person that kind of control so they can’t do that much damage,” Knight said. “Anyone that has too much power is a danger to the organization and to themselves.”

Trusting employees is a factor as well, he said, but that can only go so far.

“You can implement a ton of technology, but if you can’t trust your employees, you can have all the systems and technology in the world and you’ll still have issues.”

Aliah D. Wright is an online editor/manager for SHRM.

Reuse Permissions


Choose from dozens of free webcasts on the most timely HR topics.

Register Today

Job Finder

Find an HR Job Near You


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 3,200 companies

Search & Connect