Morgan Stanley Hit by Accellion Hack Through Third-Party Vendor
Investment banking firm Morgan Stanely has allegedly reported that the personal information of some of its customers was compromised during the Accellion hacks. Morgan Stanely disclosed the security incident to the New Hampshire Attorney General earlier this month, according to new reports. The data was compromised through a third-party vendor that was utilizing the Accellion FTA service when its file transfer service was hacked between December 2020 and January 2021. The FIN11 cybercrime group allegedly exploited several vulnerabilities to access files pertaining to dozens of organizations. The third-party vendor affected by the incident is Guidehouse, which provides account maintenance services to Morgan Stanley.
Customers affected by the security breach include those enrolled in StockPlan Connect, according to Morgan Stanley. Although the files were encrypted, the adversary was allegedly able to obtain the description key due to the Accellion FTA vulnerability. Exposed information includes names, addresses, Social Security numbers, corporate company names, and birth dates. Guidehouse states that they patched their FTA instance within 5 days of the updates’ release, however, it was too late and the service had already been breached. Morgan Stanley has confirmed that 108 New Hampshire individuals were affected, however, it has not clarified how many others were impacted as well.