Morgan Stanley suffered data breach of customers after supply chain hack

The hack involved exploitation of a security flaw in file-transfer software from Accellion

Investment banking giant Morgan Stanley revealed last week that personal details of some of its customers were stolen in a data breach earlier this year, which involved one of its contractors.

In a notice sent to affected clients, the company said that the breach affected Guidehouse LLP, a consulting company that provides account maintenance services to Morgan Stanley's StockPlan Connect business.

Guidehouse informed Morgan Stanley about the cyber intrusion on 20 May 2021, revealing that hackers managed to steal customer names, birth dates, addresses, social security numbers, and other details of the bank's stock plan participants after hacking into the Accellion FTA server belonging to Guidehouse.

Guidehouse discovered the intrusion in March, and the impact of the breach to Morgan Stanley customers was identified in May.

Guidehouse said that the hack involved exploitation of a security flaw in file-transfer software from Accellion.

"There was no data security breach of any Morgan Stanley applications," Morgan Stanley said in its notification letter. Moreover, it added, there was no evidence to suggest that the stolen data had been published online by the threat actors.

Guidehouse found that the hackers were able to access some encrypted files from Morgan Stanley, as well as their decryption key.

"The underlying data and personally identifiable information of StockPlan Connect participants in these files is owned by certain of Morgan Stanley's corporate clients that retain Morgan Stanley StockPlan Connect to provide stock plan management services to their employees. Guidehouse, in turn, was providing a service to Morgan Stanley to identify the best available address for participants whose contact information was invalid," Morgan Stanley said.

However, the files stolen from the Accellion FTA server did not contain credentials or passwords that the threat actors could use to gain access to impacted accounts, it added.

Guidehouse told Morgan Stanley that it patched the Accellion FTA bug in January 2021, within 5 days after the security update was made available by Accellion. However, Guidehouse's server had already been compromised before the patch was made available.

In February, BleepingComputer reported that threat actors had compromised dozens of companies using vulnerabilities in Accellion's legacy File Transfer Appliance. The hacks occurred in December last year and involved the FIN11 threat group and the Clop ransomware gang, according to the report.

In a statement to BleepingComputer, a Morgan Stanley spokesperson said that the company takes the protection of client data very seriously and was taking appropriate steps to mitigate potential risks to clients.

This is not the first cyber security incident impacting Morgan Stanley.

In 2015, the financial services firm fired an employee who it said stole account data for thousands of its wealth management clients.

A subset of the stolen information was also posted online for a brief period of time, which was eventually found in December 2014 during a routine scan performed by the company on suspicious websites.