Morgan Stanley said Monday that it terminated an employee for stealing wealth management data from up to 10 percent of its clients, or about 350,000 people.
The bank said there is thus far "no evidence of any economic loss" for its clients. Still, data for about 900 clients—including account names and numbers—were briefly posted online, the firm said.
Morgan Stanley is the second-largest wealth manager in the country and the sixth-largest holding company, with assets of $814.5 billion. The company said the information did not include Social Security numbers or passwords.
"Morgan Stanley takes extremely seriously its responsibility to safeguard client data, and is working with the appropriate authorities to conduct and conclude a thorough investigation of this incident," the company said in a release.
The company's shares were off more than 3 percent in morning trade on a day when bank stocks overall were off 2.2 percent, as measured by the KBW Bank Index.
A source familiar with the matter said the missing information was discovered Dec. 27 via regular scans Morgan Stanley performers on suspicious web sites, and the firm was able to trace the breach back to the employee in 24 hours. The sourced added that the information was displayed only for a brief period, though there were an unspecified number of hits on the site.
The firm believes the employee wanted to sell the information, which included names, account numbers, states of residence, phone numbers, asset values and some transaction information. Clients affected by the breach will get new account numbers and credit monitoring services.
However, that may not be enough to stop similar attacks, particular at firms as large and interconnected as Morgan Stanley.
"Until there are real ramifications, until there's some type of financial penalty, whether through regulators or a private cause of action, then I can't imagine this is going to move the needle in change of behavior among these firms," said Brian Hamburger, president and CEO at MarketCounsel, a regulatory compliance and consulting firm.
The idea that an associate at a firm would have access to so many records should cause alarm bells both for the firm and its clients, he added.
"Whether it's Morgan Stanley or a local wealth management firm, they should be asking what safeguards are in place and who has access to my data," Hamburger said. "The large, global financial powerhouses that have made their way to this industry are not prepared for the level of sensitivity that wealth management clients require."