By Justin Baer 

Federal authorities are probing whether a hacker is behind the online publication of a cache of Morgan Stanley's client data--and not the financial adviser who was fired in connection with the breach, people familiar with the matter said.

This latest twist raises the possibility that the incident is connected to larger cybersecurity concerns on Wall Street and isn't an isolated episode tied solely to the questionable judgment of a junior executive.

Morgan Stanley fired the adviser, Galen Marsh, last month after he acknowledged accessing account information on 350,000 of the firm's wealth-management clients and taking it home with him. His firing occurred not long after details related to 1,200 accounts were posted online along with an offer to sell a larger stash of information.

Mr. Marsh, 30 years old, has denied posting any of the data online or seeking to sell it.

Federal law-enforcement officials are focusing their probe on the possibility that Mr. Marsh's computer was hacked.

It is unclear who might have been responsible for the hack. Officials haven't arrested anyone in connection with their investigation, which is continuing.

Meanwhile, pieces of the same cache of client information have continued to surface online.

Since Morgan Stanley disclosed the breach, contacted the Federal Bureau of Investigation and fired Mr. Marsh, the account information has reappeared on several occasions, both in a public feed found on Twitter and back on Pastebin, the text-sharing site where Morgan Stanley had spotted its clients' information on Dec. 27. The more recent posts came from the same data set Mr. Marsh had accessed at work, though they didn't match up exactly with the 1,200 accounts that appeared on Pastebin in December, a person familiar with the matter said.

Morgan Stanley spotted the new postings and again took steps to have them removed from public view. The firm is changing the account numbers of those clients whose data were taken by Mr. Marsh, beginning with those whose information appeared publicly, and offering them credit and identity-theft protective services. No clients have reported fraud as a result.

At least two Twitter users posted tweets in January inviting viewers to access Morgan Stanley client data. One of those users provided links to the "Morgan Stanley hacked files" on filedropper.com. Then, on Jan. 31, a different Twitter account published screenshots of what appear to be account information on two Morgan Stanley clients, according to a cached version of the Twitter feed.

The two clients told The Wall Street Journal they were contacted soon after Mr. Marsh was fired but said they didn't know their information was again posted online. One of them said their account number had been changed; the other said the account in question had been closed in 2014.

The data include client names and account numbers as well as details on their investments. A person familiar with the matter said the data found on the more-recent postings listed several hundred accounts--far fewer than the 1,200 accounts--held by 900 clients--that appeared in late December.

Questions remain about the incident, including whether Mr. Marsh's computer was possibly targeted because he worked for a major Wall Street firm.

In the wake of the incident, Morgan Stanley tightened access to its client database so that individual advisers no longer have access to such wide swaths of account data.

Federal authorities also are continuing to look for answers on why Mr. Marsh accessed the client information in the first place, people familiar with the matter said.

Mr. Marsh told Morgan Stanley executives that he had accessed the client information and stored it on his personal computer to learn how successful advisers had built their customers' portfolios, people familiar with the matter said. Morgan Stanley executives believe he acted alone, one person said.

Federal investigators are seeking to determine whether Mr. Marsh brought the data home in anticipation of a move by the team of advisers with whom he had worked alongside for more than six years. Mr. Marsh was a junior member of the 1211 Group, a successful wealth-advisory office in Midtown Manhattan. The team had moved together from Bear Stearns Cos. in 2008. Mr. Marsh was promoted from trainee to full-fledged financial adviser in April.

A senior adviser on Mr. March's team, Mark Seruya, talked last year to UBS AG about moving to the rival wealth manager, people familiar with the matter said. In September, UBS sent Mr. Seruya a letter of understanding outlining terms of his offer to join the Swiss bank, one person said. Talks are no longer active and the offer expired, the people said.

Mr. Seruya said through a Morgan Stanley spokesman that he had discussions with UBS more than a year ago but decided not to leave.

Mr. Marsh told Morgan Stanley executives he acted alone, people familiar with the matter said. The New York-based firm hasn't taken disciplinary action on any other employee in connection with the client data breach.

Mr. Seruya managed $2.26 billion in client money as of October 2012, according to REP. magazine, which ranked him among their "Top 100 Wirehouse Advisors" that year.

Top advisers are in demand and routinely field inquiries from recruiters. "Transition packages are at an all-time high," said Mindy Diamond, president and chief executive at Diamond Consultants, a recruiting firm that caters to wealth advisers. "Every adviser--if one foot isn't already out the door--is certainly exploring their options."

Access Investor Kit for Morgan Stanley

Visit http://www.companyspotlight.com/partner?cp_code=P479&isin=US6174464486

Subscribe to WSJ: http://online.wsj.com?mod=djnwires

Morgan Stanley (NYSE:MS)
Historical Stock Chart
From Feb 2024 to Mar 2024 Click Here for more Morgan Stanley Charts.
Morgan Stanley (NYSE:MS)
Historical Stock Chart
From Mar 2023 to Mar 2024 Click Here for more Morgan Stanley Charts.