Morgan Stanley’s Third-Party Data Breach Leaks Customers’ Sensitive Information via an Accellion Hack

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

Leading investment banking firm Morgan Stanley reported that hackers accessed its customers’ sensitive information in a third-party data breach.

In a July 2  letter to the New Hampshire Attorney General’s office, the bank said that Guidehouse disclosed that hackers had accessed customers’ records in the Accellion hack. Guidehouse offers account maintenance services to Morgan Stanley’s StockPlan Connect business.

Morgan Stanley is among the hundreds of customers compromised via the Accellion FTA vulnerability first reported in December 2020.

Other victims include Jones Day, Shell, Qualys, the Reserve Bank of New Zealand, Singtel, Kroger, the Office of the Washington State Auditor (“SAO”), the Australian Securities and Investments Commission (ASIC), among others.

Third-party data breach exposed Morgan Stanley’s decryption key

The Accellion hack leaked Morgan Stanley’s encrypted files under Guidehouse’s possession. The hackers also managed to obtain the decryption key in the third-party data breach first reported by Bleeping Computer.

However, the data did not include any security credentials like passwords that could allow the hackers to access customers’ financial accounts.

However, it included personally identifiable information (PII) like customers’ names, addresses, dates of birth, social security numbers, and company names.

Morgan Stanley disclosed that 108 New Hampshire residents were affected by the third-party data breach. However, the investment bank did not disclose the total number of customers exposed in the Accellion hack.

“The protection of client data is of the utmost importance and is something we take very seriously,” the company said. “We are in close contact with Guidehouse and are taking steps to mitigate potential risks to clients.”

Morgan Stanley’s Accellion hack was discovered almost half a year later

Guidehouse said it patched the Accellion FTA vulnerability within 5 days after the company released security fixes in January 2021. However, the company said that the threat actors had obtained the files by then.

Additionally, the company did not discover the Accellion hack until…