Ex-Morgan Stanley Worker Says Russians Suspected in Hack

  • Marsh says he accessed client data because he was `curious'
  • Says his computer was improperly accessed after he got data

A fired Morgan Stanley financial adviser facing prison for downloading data on hundreds of thousands of customer accounts to a home server says he’s been told the bank “suspected” Russian hackers got access to the information and offered to sell it on the Internet. 

Galen Marsh is asking a judge to spare him from prison, saying all he was trying to do was analyze the client information from his New Jersey home before it was stolen and posted on the Internet. Federal officials have confirmed the data was “compromised” during the period it was stored on his private server, according to his lawyer.

“It is probable that the client data was extracted from Mr. Marsh’s home as a result of outside hackers,” lawyer Robert Gottlieb wrote to U.S. District Judge Kevin Duffy. “Based upon conversations with representatives of Morgan Stanley, we learned that hackers emanating from Russia were suspected of posting the information and offering to sell it online.”

Client information for as many as 350,000 wealth-management clients was stolen. The firm alerted law enforcement and found no evidence that customers lost any money, New York-based Morgan Stanley said in January in a statement. The bank said it detected account information for about 900 clients on an external website and “promptly” had it removed.

“While it is possible Marsh’s personal computer upon which he improperly
stored Morgan Stanley data was hacked, we do not know with certainty what
happened after he stole the data,” James Wiggins, a spokesman for Morgan Stanley, said in an e-mailed statement Tuesday.

Marsh has maintained that he cooperated promptly with law enforcement and Morgan Stanley after the breach was discovered. He has said in court that he and a co-worker were being recruited by two other broker-dealer firms.

He pleaded guilty in September to accessing the bank’s computer network without permission. He faces as long as five years in prison when he’s sentenced on Dec. 17.

The case is U.S. v. Marsh, 15-cr-00641, U.S. District Court, Southern District of New York (Manhattan).

Before it's here, it's on the Bloomberg Terminal.