Morgan Stanley has confirmed a data breach of some customer SSNs and other personal data via one if its vendor’s vulnerable Accellion FTA systems.
In a letter to New Hampshire’s Attorney General, Morgan Stanley wrote that they were notified of the incident by one of its vendors Guidehouse on May 20, 2021. Guidehouse performs account maintenance services to Morgan Stanley’s StockPlan Connect business.
“Guidehouse advised us that data that it maintained for Morgan Stanley had been accessed through the Accellion FTA vulnerability,” Morgan Stanley wrote in the letter.
The vendor confirmed an unauthorized individual likely gained access in January, 2021 to records of 108 customers residing in New Hampshire. Although the affected system was patched within five days after the Accellion FTA vulnerability patch was made available, the actor likely used that small window of time to still exploit the flaw and steal the data.
Moreover, the vendor did not spot the data theft until March of 2021 and was not able to confirm the impact to Morgan Stanley until May of 2021.
The stolen files contained customer participant data to include: name, last known address, date of birth, Social Security number (if the participant had one) and corporate company name.
As readers may remember, cyber attackers were spotted in mid-December last year and earlier this year exploiting Accellion File Transfer (FTA) appliance vulnerabilities to steal data and threaten their victims with extortion attempts. Energy giant Shell, security firm Qualys and many others fell victim to Accellion FTA attacks.