Leading investment banking firm Morgan Stanley recently suffered a data breach that involved cyber criminals hacking into a third-party vendor’s Accellion FTA server. The breach compromised sensitive personal information of its customers.
Morgan Stanley was made aware of the breach in May when Guidehouse, a third-party vendor providing account maintenance services to Morgan Stanley’s StockPlan Connect business, informed the firm that threat actors accessed its Accellion FTA server and stole information related to the investment firms’ StockPlan customers.
Soon after, the firm sent data breach notifications to its affected customers. “We are notifying the StockPlan Connect corporate clients that own or license the New Hampshire residents’ data affected by this incident,” the letter read.
The letter states that the Accellion FTA vulnerability that led to this incident was patched by its vendor Guidehouse in January 2021, within 5 days of the patch becoming available. Guidehouse, however, discovered the breach in March and informed Morgan Stanley in May. It has also confirmed that as of now, there is no evidence to prove that the compromised data was used by hackers.
“There was no data security breach of any Morgan Stanley applications. The incident involves files which were in Guidehouse’s possession, including encrypted files from Morgan Stanley,” the notification included.
The compromised data included names, last known addresses, dates of birth, Social Security numbers, and corporate company names. Morgan Stanley has, however, confirmed that the leaked data did not contain any passwords that could be used to access financial accounts. Though the stolen files from the Guidehouse Accellion FTA server were encrypted, the hackers were able to get hold of the decryption key during the attack.
Accellion FTA’s zero-day vulnerability first came into light in December 2020 when the Clop ransomware gang infiltrated the two-decades-old server and stole information belonging to multiple companies that used the FTA application. In mid-December, Accellion was made aware of a zero-day vulnerability in its legacy FTA software and released a fix within 72 hours.
After the breach took place, a number of affected organisations came forward to state that they had been affected by the cyber attack and had lost sensitive data to hackers. Jones Day, which is one of the top law firms in the US with clients like JPMorgan Chase & Co, Google, Alphabet Inc., Procter & Gamble Co., McDonald’s Corp, and Walmart Inc., told the media that it was among the affected organisations.
Commenting on the breach affecting Morgan Stanley, Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Centre), told Teiss that when a patch is issued for software that has been actively exploited, simply patching the software and moving on isn’t the best path. Attackers might have already compromised the system, and since they define the rules of their attack, they might be waiting for a good time to actually launch the attack or release data already obtained.
“Since the goal of patch management is protecting systems from compromise, patch management strategies should include reviews for indications of previous compromise – even if the software is already patched. With the software supply chains that power modern business including various service providers, periodic reviews of service provider relationships should also include verification that latent compromise isn’t present,” he added.
According to Alexa Slinger, identity management expert at OneLogin, businesses must mitigate the cyber security risks of legacy systems by conducting regular vulnerability assessments to determine areas of weakness, ensuring that the most recent patches are applied immediately and invest in additional layers of security for securing and monitoring their endpoints and network.
“This incident also highlights the need for consumers to be educated on what to do in the case of their personal data being compromised and the appropriate steps to take. Consumers should always be keeping an eye on all of their online accounts, and enable credit monitoring to swiftly detect suspicious activity in their financial accounts.”