Attackers were able to compromise customers’ personal data by targeting the Accellion FTA server of a third-party vendor.
Morgan Stanley has confirmed a data breach in which attackers were able to access personal information belonging to customers by targeting a vulnerability in the Accellion FTA server.
The server belonged to Guidehouse, a vendor that provides account maintenance services to Morgan Stanley’s StockPlan Connect business, the bank said in a letter disclosing the incident. Attackers were able to access participant data, including name, last known address, birth date, Social Security number, and corporate company name. The data compromised did not include passwords that could be used to access financial accounts.
Morgan Stanley said the compromised files were encrypted; however, attackers were able to obtain the decryption key during the breach.
This makes the bank one of many organizations affected by the vulnerability in the Accellion FTA server, an issue disclosed earlier this year. Following Accellion’s January announcement, several businesses experienced data theft and subsequent extortion attempts.
While Guidehouse patched the vulnerability within five days of its availability, the attacker was able to access the data around that time, officials said. The vendor discovered the attack in March 2021 and learned it affected Morgan Stanley in May. It says the delay was due to the trouble in determining which files were stored in the Accellion FTA server when it was exposed.