Morgan Stanley discloses data breach after the hack of a third-party vendor

The American multinational investment bank and financial services firm Morgan Stanley discloses a data breach caused by the hack of an Accellion FTA server of a third-party vendor.

Investment banking firm Morgan Stanley has disclosed a data breach after threat actors have compromised the Accellion FTA server of the third-party vendor Guidehouse.

The company has offices in more than 42 countries and more than 60,000 employees, it has clients in multiple industries.

Guidehouse provides account maintenance services to Morgan Stanley’s StockPlan Connect business, hackers breached its Accellion FTA server and stole information belonging to Morgan Stanley stock plan participants.

The security breach was first reported by BleepingComputer that also shared a copy of the data breach notification letter sent to the impacted customers.

“On May 20, 2021, Morgan Stanley was notified by Guidehouse, a vendor that provides account maintenance services to Morgan Stanley’s StockPlan Connect business, that it had suffered an information security incident. Guidehouse advised us that data that it maintained for Morgan Stanley had been accessed through the Accellion FTA vulnerability.” reads the letter. “Specifically, Morgan Stanley documents in the possession of Guidehouse containing the personal information of StockPlan Connect participants, including participants in New Hampshire, were obtained by an unauthorized individual.”

The provider notified Morgan Stanley in May 2021 that hackers compromised its FTA install back in January by exploiting a zero-day vulnerability later addressed by the vendor.

The hack of the FTA server took place in March, but the hacker had access to the data of Morgan Stanley customers in May. The participant information accessed by the hackers included name; address (last known address); date of birth; Social Security number (if the participant had one); and corporate company name. The company pointed out that exposed files did not contain passwords that could be used to access financial accounts.

The stolen files were stored in encrypted form on the compromised Guidehouse Accellion FTA server, but the attackers were also able to obtain the key to decrypt it.

At the time of this writing, the investment banking firm has no evidence that hackers have abused stolen info or disseminated it online. Morgan Stanley pointed out that its systems were not breached by the threat actors.

“There was no data security breach of any Morgan Stanley applications,” continues the letter. “The incident involves files which were in Guidehouse’s possession, including encrypted files from Morgan Stanley.”

In February, security experts from FireEye linked a series of cyber attacks against organizations running Accellion File Transfer Appliance (FTA) servers to the cybercrime group UNC2546, aka FIN11.

The wave of attacks began in mid-December 2020, threat actors exploited multiple zero-day vulnerabilities in the Accellion File Transfer Appliance (FTA) software to deploy a shell dubbed DEWMODE on the target networks.

The attackers exfiltrate sensitive data from the target systems and then published it on the CLOP ransomware gang’s leak site.

It has been estimated that the group has targeted approximately 100 companies across the world between December and January. 

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

[adrotate banner=”5″]

[adrotate banner=”13″]