Investment banking firm Morgan Stanley said it has suffered a data breach after Guidehouse, a third-party vendor that provides account maintenance services to Morgan Stanley’s StockPlan Connect business, was hit by the Accellion FTA hack.
Guidehouse informed the investment banking firm in May 2021 that hackers got access to data it maintained for Morgan Stanley via the Accellion FTA vulnerability. Specifically, attackers accessed documents containing the personal information of StockPlan Connect participants, including name, address (last known address), date of birth, Social Security number (if the participant had one), and corporate company name. The files did not contain passwords that could be used to access financial accounts, Morgan Stanley explained in a letter submitted to the New Hampshire Attorney General’s office.
The company said that while documents in Guidehouse’s possession were encrypted, the hackers were able to obtain the decryption key due the Accellion FTA vulnerability.
Guidehouse fixed the Accellion FTA vulnerability within 5 days of patch becoming available, but by that time the data had already been compromised. The company discovered the breach in March 2021, “and did not discover the impact to Morgan Stanley until May 2021, due to the difficulty in retroactively determining which files were stored in the Accellion FTA appliance when the appliance was vulnerable.”
The wave of attacks against Accellion FTA servers started in mid-December 2020 and attempted to exfiltrate sensitive data from the target systems.
The attacks exploiting zero-day vulnerabilities in the Accellion FTA file-sharing application affected multiple organizations across the globe, including the New Zealand Central Bank, Singtel, Kroger, Qualys and others, exploited several vulnerabilities in Accellion’s FTA product in order to gain access to target networks and steal data, namely CVE-2021-27101 (SQL injection), CVE-2021-27102 (OS command execution), CVE-2021-27103 (SSRF), and CVE-2021-27104 (OS command execution).