[BreachExchange] Morgan Stanley announces breach of customer SSNs through Accellion FTA vulnerability

[Sophia Kingsbury]

https://www.zdnet.com/article/morgan-stanley-announces-breach-of-customer-ssns-through-accellion-fta-vulnerability/

Morgan Stanley has notified New Hampshire Attorney General John Formella
that one of it's vendors was attacked through the Accellion FTA
vulnerability and that some customer information -- including Social
Security numbers -- was accessed.

In a letter dated July 2, Morgan Stanley said that Guidehouse, a vendor
that provides account maintenance services to Morgan Stanley's StockPlan
Connect business, informed them on May 20 that it had been hacked.

The information of some StockPlan Connect participants, including those in
New Hampshire, were "obtained by an unauthorized individual." Morgan
Stanley said it "regularly" sends a secure file to Guidehouse of existing
StockPlan long shareholders scheduled for escheatment and "engages
Guidehouse to obtain current contact information for these StockPlan
participants prior to the escheatment process commencing."

"Although the files in Guidehouse's possession were encrypted, we have been
told by Guidehouse that the unauthorized individual was able to obtain the
decryption key during the security incident, due to the Accellion FTA
vulnerability," the company said, adding that passwords for financial
accounts were not accessed during the breach.

"The files obtained from the vendor included the following participant
information: name; address (last known address); date of birth; Social
Security number (if the participant had one); and corporate company name."

Guidehouse told Morgan Stanley that the attacker gained access to the
information in January but that they did not discover the attack until
March, waiting another two months to then tell Morgan Stanley.

Guidehouse defended its actions to Morgan Stanley, claiming the Accellion
FTA vulnerability was patched "within 5 days of the patch becoming
available" and that they waited until May to notify Morgan Stanley because
of the "difficulty in retroactively determining which files were stored in
the Accellion FTA appliance when the appliance was vulnerable."

In a statement to ZDNet, a Morgan Stanley spokesperson said the "protection
of client data is of the utmost importance and is something we take very
seriously."

"We are in close contact with Guidehouse and are taking steps to mitigate
potential risks to clients," the spokesperson said.

Breach notification letters have already been sent out to those who have
been affected by the incident.

The company said it is providing any victims in New Hampshire with 24
months of free credit monitoring services from Experian and will "arrange
to provide codes to our corporate clients or directly to New Hampshire
residents as applicable." It did not say whether people in other states
were affected.

The Accellion FTA vulnerability has been used widely by cybercriminals to
launch an array of attacks against some of the biggest companies in the
world.

The Clop ransomware group became well-known for attacking companies using
old versions of the Accellion FTA file-sharing server like Stanford
Medicine and Bombardier. The Reserve Bank of New Zealand, the University of
Maryland Baltimore, Washington State Auditor, the University of California
and cybersecurity firm Qualys are just a few of the victims attacked by
Clop members through the Accellion vulnerability.

Kroger and Shell have also faced attacks through Accellion FTA
vulnerability. Accellion announced the end-of-life for the FTA product in
February due to the spate of attacks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210709/e2afd1f0/attachment.html>