The Morgan Stanley Smith Barney Breach: Losing Client Data the Old Fashioned Way

There is a sophisticated and efficient market out there for personal identifying information (PII), and the prices go up when the data comes from a target-rich environment like Morgan Stanley. Now think about it: whether you’re an account executive, a messenger, or a clerk in a state bureaucracy it’s easy for you to know that this market exists. You also know that the chances of getting caught are even lower than finding a front row seat to a Lady Gaga concert because the “security” around those CD-ROMs was virtually nonexistent. Most five-year olds can get around passwords, and there are literally scores of people who could have heisted the discs from the package. Best of all, you know that you never have to meet your “fence”—it’s not like stealing the Rolex off of the sink in the men’s washroom—you can transmit the data with complete anonymity, and get paid for it with little, if any, risk of exposure. And you don’t have to be a computer geek; that’s the real beauty of this sort of “old-fashioned” brand of identity theft. Hacking or phishing may require certain technical skills, but lifting a CD-ROM can be done by my seven-year-old neice. In a nutshell, we’ve just identified the real cause of the pandemic-like problem we are having: if you’d like to become an identity thief, you don’t need to know very much; because security measures are so lax or ineffective, it’s not too difficult; and the very minimal risk is far outweighed by the very tangible and ever-growing rewards. We have managed to create the perfect environment for making crime pay.

So, perhaps you haven’t received “the letter” proclaiming your unsolicited membership in the “500 Million File Club” (now that more than 500 million files have been improperly accessed since 2005). I bet you’re probably thinking, “Hey, I’m not a rich guy.” Or, “I don’t have a brokerage account.” Or, “I don’t live in the U.S. where there is an established network of data thieves and data buyers.” “I’m OK. I am under the radar.”

[Article: 5 Reasons Why Obama’s Breach Notification Policy Makes Me Grumpy]

Think again.

On November 20, 2007, UK Chancellor of the Exchequer Alistair Darling announced:

Get everything you need to master your credit today.

Get started for free

“Two password-protected discs containing a full copy of HMRC’s [the UK equivalent of the IRS] entire data in relation to the payment of child benefit was sent to the NAO [the National Accounting Office] by HMRC’s internal post system operated by the courier TNT. The package was not recorded or registered. It appears the data has failed to reach the address in the NAO.”

Sounds familiar, doesn’t it?

The lost data involved almost half of the UK’s population—approximately 25 million people. The personal data on the missing discs was said to include names, addresses and dates of birth of children receiving Child Benefits, as well as the National Insurance account numbers and the bank account data of their parents.

The BBC detailed the magnitude of the loss as follows:

7.25 million adult claimants of Child Benefits for their offspring;

15.5 million children entitled to receive those benefits;

2.25 million non-parent adult claimants such as unrelated caregivers, and a few thousand others.

This was truly equal-opportunity thievery. And like every other catastrophic breach, reassurance—however meaningless—quickly followed the announcement. Mr. Darling averred that there was no indication that the details had fallen into the wrong hands, but he advised those affected to monitor their bank accounts nonetheless. He said, “If someone is the innocent victim of fraud as a result of this incident, people can be assured they have protection under the Banking Code so they will not suffer any financial loss as a result.”

[Article: Senate Hears Obama’s Internet Privacy Ideas]

Uh-huh. What about years from now when those kids grow up?

Of course, the UK being the interesting island that it is, there were some colorful reactions to the news, particularly as to the value of the loss to identity thieves. The head of the Liberal Democratic Party estimated that the names were worth approximately one hundred dollars apiece for a total value of approximately $2.5 billion. Scotland Yard unofficially speculated that it was more like four dollars apiece, amounting to a mere $100 million. Me thinks the politician was closer to it than the policeman, but prices have gone up since then anyway. Some identities can trade for several thousands of dollars, particularly if they are usable to evade immigration laws, or if the data comes with a good pedigree—like that of a Morgan Stanley investor.

Until we have better laws, stronger security procedures, and a very different attitude toward PII and its value, we will suffer in the swarm—rich or poor. No one will die, but everyone will likely be stung at least once, and possibly many times, and very harmfully. And just like a run through a swarm of bees, some of your attackers can be seen, some cannot, and even the ones who don’t know a keyboard from a keychain can deliver a nasty sting—the old-fashioned way.