The financial services and investment bank Morgan Stanley has recently disclosed a data breach in the wake of the Accellion fiasco. This news arrives months after the incident as the firm learned of the incident due to an affected third-party service.
Morgan Stanley Data Breach
Reportedly, Morgan Stanley has emerged as the latest victim of the Accellion supply-chain attack. Morgan Stanley is a US-based investment and financial services corporation currently operating in over 42 countries.
Recently, the firm disclosed an indirect impact of the Accellion FTA zero-day exploit via data breach notifications. It turns out that Morgan Stanley suffered a data breach as one of its service providers, Guidehouse, faced an impact.
As stated in the notification,
On May 20, 2021, Morgan Stanley was notified by Guidehouse, a vendor that provides account maintenance services to Morgan Stanley’s StockPlan Connect business, that it had suffered an information security incident. Guidehouse advised us that data that it maintained for Morgan Stanley had been accessed through the Accellion FTA vulnerability.
The breached data precisely included the personal information of the firm’s StockPlan Connect participants. This includes the participants’ names, addresses, birth dates, corporate company names, and social security numbers. Though Guidehouse had the file in encrypted form, the attackers could even obtain the decryption key during the breach.
Elaborating further on the timelines, Morgan Stanley mentioned that Guidehouse noticed the breach in March 2021, whereas it further identified the impact on Morgan Stanley’s data in May.
Consequently, the firm is also informing the affected individuals about the breach. Besides, Guidehouse has also arranged free-of-cost credit monitoring for 24-months for the affected participants.
With this report, Morgan Stanley simply joins the trail of Accellion victims that suffered data breaches as the attackers actively exploited a zero-day vulnerability in Accellion FTA. Although the vendors deployed a patch for the bug within few days. Still, the attackers got enough time to conduct back-to-back attacks.