Morgan Stanley has revealed a data breach after attackers hacked into a third-party vendor's Accellion FTA server and stole personal information belonging to its clients. Morgan Stanley is a global financial services corporation that specializes in investment banking, securities, wealth management, and investment management. Corporations, governments, institutions, and individuals from more than 41 countries are among the company's clients.
In May 2021, Guidehouse, a third-party vendor that offers account maintenance services to Morgan Stanley's StockPlan Connect business, told Morgan Stanley that hackers had accessed its Accellion FTA server and stolen information from Morgan Stanley stock plan participants. In January, an Accellion FTA vulnerability was exploited on the Guidehouse server, however, the vendor patched it within five days of the fix becoming available.
The breach was detected in March, and the impact on Morgan Stanley customers was identified in May when Guidehouse notified the financial services company of the incident. No indication of the stolen data being disseminated online by the threat actors was uncovered. "There was no data security breach of any Morgan Stanley applications," Morgan Stanley said in data breach notification letters sent to impacted individuals. "The incident involves files which were in Guidehouse’s possession, including encrypted files from Morgan Stanley."
Despite the fact that the stolen files were encrypted and stored on the compromised Guidehouse Accellion FTA server, the threat actors gained the decryption key as part of the attack. The files stolen from Guidehouse's FTA server did not contain any passwords or credentials that threat actors may use to obtain access to impacted Morgan Stanley customers' financial accounts, according to the company.
"The protection of client data is of the utmost importance and is something we take very seriously," a Morgan Stanley spokesperson said. "We are in close contact with Guidehouse and are taking steps to mitigate potential risks to clients."
While the identity of the attackers was not revealed in Morgan Stanley's data breach notification, a joint statement released in February by Accellion and Mandiant offered more insight on the attacks, directly attributing them to the FIN11 cybercrime group. The Clop ransomware group has also stolen data from many firms by using an Accellion FTA zero-day vulnerability (disclosed in December 2020). According to Accellion, approximately 300 clients used the 20-year-old antiquated FTA software, with less than 100 of them being hacked.