Morgan Stanley has revealed a data breach after attackers hacked into a third-party vendor’s Accellion FTA server and stole personal information belonging to its clients.
Morgan Stanley is a global financial services corporation that specialises in investment banking, securities, wealth management, and investment management.
Corporations, governments, institutions, and individuals from more than 41 countries are among the company’s clients.
As per the latest report by BleepingComputer, in May 2021, Guidehouse, a third-party vendor that offers account maintenance services to Morgan Stanley’s StockPlan Connect business, informed Morgan Stanley that hackers had accessed its Accellion FTA server and stolen information from Morgan Stanley stock plan participants.
In January, an Accellion FTA vulnerability was exploited on the Guidehouse server, however the vendor patched it within five days of the patch became available.
The breach was detected in March, and the impact on Morgan Stanley customers was identified in May, when Guidehouse notified the financial services company of the incident.
No indication of the stolen data being distributed online by the threat actors was uncovered.
“There was no data security breach of any Morgan Stanley applications,” Morgan Stanley said in data breach notification letters sent to impacted individuals.
“The incident involves files which were in Guidehouse’s possession, including encrypted files from Morgan Stanley.”
Despite the fact that the stolen files were encrypted and stored on the compromised Guidehouse Accellion FTA server, the threat actors gained the decryption key as part of the attack.
According to Morgan Stanley, the documents stolen in this incident included:
- Stock plan participants’ names
- Addresses (last known address)
- Dates of birth
- Social security numbers
- Corporate company names
BleepingComputer reported that the files stolen from Guidehouse’s FTA server did not contain any passwords or credentials that threat actors may use to gain access to impacted Morgan Stanley customers’ financial accounts, according to the company.
“The protection of client data is of the utmost importance and is something we take very seriously,” a Morgan Stanley spokesperson told BleepingComputer. “We are in close contact with Guidehouse and are taking steps to mitigate potential risks to clients.”