Investment Bank Morgan Stanley Discloses Data Breach
Hackers Accessed Information by Exploiting a Flaw in a Vendor’s Server, Accellion FTA.
Recently, American multinational investment bank Morgan Stanley has revealed it had suffered a data breach at the beginning of the year. According to the company’s statement, the data of some of its corporate clients was compromised in the security breach that involved a third-party vendor.
The financial institution declared hackers accessed information by exploiting a vulnerability in the vendor’s server, Accellion FTA.
Morgan Stanley is an American multinational investment bank and financial services company that has offices in more than 42 countries with more than 60,000 employees. The firm’s clients include corporations, governments, institutions, and individuals.
When Did the Morgan Stanley Data Breach Happen?
According to a recent letter sent by Morgan Stanley to the New Hampshire Attorney General’s office, on May 20, 2021, the bank was informed by Guidehouse, a vendor that provides account maintenance services to Morgan Stanley’s StockPlan Connect business, that it had suffered an information security attack.
The vendor told financial services institution that cybercriminals hacked its Accellion FTA server in order to steal information belonging to Morgan Stanley stock plan participants.
While the exposure was patched within five days, the attackers managed to get a decryption key even though the files were encrypted.
According to the technology news website Bleeping Computer, the hack was discovered in March by Guidehouse and its impact on Morgan Stanley was found in May.
The vendor also said that nothing indicates the attackers published the stolen data online and the affected individuals were immediately informed of the incident.
There was no data security breach of any Morgan Stanley applications. The incident involves files which were in Guidehouse’s possession, including encrypted files from Morgan Stanley.
As we said before, although the files in Guidehouse’s possession were encrypted, the vendor disclosed that the threat actors were able to acquire the decryption key during the data breach, due to the Accellion FTA flaw.
What Data Was Stolen During the Morgan Stanley Data Breach?
The files stolen from the vendor included participant information such as names, addresses, date of birth, Social Security numbers, and corporate company name. None of the data contained passwords that could be used to access financial accounts.
The protection of client data is of the utmost importance and is something we take very seriously. We are in close contact with Guidehouse and are taking steps to mitigate potential risks to clients.
So far, 2021 has been a busy year if we think of the multiple security incidents impacting organizations after their Accellion FTA servers were compromised, enabling threat actors to steal private information.
Some of the victims were Royal Dutch Shell plc, commonly known as Shell, a multinational oil and gas company with more than 86,000 employees in over 70 countries,
Singapore Telecommunications Limited (commonly abbreviated as Singtel), multiple universities, and others.