Morgan Stanley has revealed that its customers’ personal information was stolen after a hacker breached an Accellion FTA server of its third-party vendor.
Morgan Stanley is a US financial services company that provides a wide variety of products and services to individuals and corporations, such as investment banking, securities, and wealth and investment management.
In May 2021, Guidehouse, a third-party vendor that provides account maintenance services, notified Morgan Stanley they suffered an attack that compromised the account information of Morgan Stanley stock plan participants.
The Guidehouse server was breached in January by an attacker who exploited an Accellion FTA vulnerability.
Guidehouse discovered that its customers’ personal information was breached in March and that Morgan Stanley was impacted in May.
“There was no data security breach of any Morgan Stanley applications,” Morgan Stanley said in data breach notification letters sent to impacted individuals. “The incident involves files which were in Guidehouse’s possession, including encrypted files from Morgan Stanley.”
Even though the files were encrypted, the attackers were still able to obtain the key during the attack.
According to Morgan Stanley, the documents stolen during the incident contained the names of company executives and employees, Stock plan participants’ names, Addresses (last known address), Dates of birth, and Social security numbers.
The stolen files did not contain customer passwords or other credentials to Morgan Stanley customers’ financial accounts.
“The protection of client data is of the utmost importance and is something we take very seriously,” a Morgan Stanley spokesperson told BleepingComputer. “We are in close contact with Guidehouse and are taking steps to mitigate potential risks to clients.”
While the attackers’ identity was not disclosed by Morgan Stanley, in February, Accellion and Mandiant revealed that the attackers were part of the FIN11 cybercrime group.
However, the Clop ransomware group has also used a zero-day flaw in Accellion’s FTA software to steal data from multiple customers.
Accellion said that less than 100 of them being breached in these attacks. Among organizations that have been hit were Shell, Singtel, Kroger, the Australian Securities and Investment Commission, the New Zealand Reserve Bank, and the US Office of the State Auditor.