Morgan Stanley Suffers Data Breach Due to Third-Party Attack

Investment banking firm Morgan Stanley recently disclosed suffering from a data breach resulting in the theft of customers’ personally-identifying information (PII). 

The hackers responsible gained access through the Accellion FTA server of a Guidehouse, a third-party account maintenance vendor. Guidehouse notified Morgan Stanley of its breach in May, noting they had the intention to steal Morgan Stanley stock plan participants PII. 

Moreover, the hackers exploited the Accellion FTA vulnerability in January five days before the patch for it became available. 

While Morgan Stanley stressed in a letter to notify customers that its applications remain secure, customer information including social security numbers, names, dates of birth, and corporate company names were all stolen. The hackers do not seem to have obtained credentials and as of time of writing it does not appear as if the hackers are selling the information online. 

The number of affected individuals remains unknown. We consulted multiple cybersecurity experts for their take on the attack. Here’s what they had to say.

Chris Clements

Chris Clements is VP of Solutions Architecture at Cerberus Sentinel.

“This demonstrates the speed with which modern threat actors capitalize on vulnerabilities. There were reportedly only 5 days between the Accellion patch was made available and it being applied by Guidehouse.  All organizations need to implement a plan for emergency security patching when it’s clear that they are at risk of imminent compromise without regard to non-safety-related availability concerns.

It’s also critical for organizations to understand that their customer data is still their own responsibility, even when shared with a vendor.  As part of a considered approach to working with any vendor is the acknowledgment that doing so broadens the organization’s attack surface and taking steps to mitigate risk contractually and by being as selective as possible with the amount and duration of time that data is shared.”

Alexa Slinger

Alexa Slinger is an identity management expert at OneLogin.

“This recent disclosure from Morgan Stanley serves as a stern reminder to all organizations who were previously, or currently are, using the Accellion FTA product that they must be prepared for additional hack disclosures. Businesses should be putting guardrails and safety measures in place for their consumer identities and data, as well as have a crisis management and recovery process ready.

Businesses must mitigate the cybersecurity risks of legacy systems by conducting regular vulnerability assessments to determine areas of weakness, ensuring that the most recent patches are applied immediately and invest in additional layers of security for securing and monitoring their endpoints and network. Efforts should be made to educate the public about phishing attempts, clarifying the ways a business will and will not contact the customer.

This incident also highlights the need for consumers to be educated on what to do in the case of their personal data being compromised and the appropriate steps to take. Consumers should always be keeping an eye on all of their online accounts, and enable credit monitoring to swiftly detect suspicious activity in their financial accounts.

As more breaches continue to trickle down, it remains unclear how many organizations are still using the Accellion FTA product, as well how many other breaches have remained undisclosed.”

Thanks to these cybersecurity experts for their time and expertise on the Morgan Stanley data breach. For more, check out the Identity Management Buyer’s Guide or the Solutions Suggestion Engine.