Morgan Stanley Security Breach Reveals Third-Party FI Risks


Jeff Domansky |

No matter how hard the financial industry tries, security breaches keep rolling out like new movie releases on Netflix or the latest music hits on Billboard.

No stranger to data breaches, Morgan Stanley is the latest security breach victim, and it’s a head shaker. The global financial giant joined the growing list of Accellion FTA users of its 20-year-old filesharing product.

The data breach resulted from an attack on the server of one of the financial institution’s third-party vendors. Guidehouse provided account maintenance services to Morgan Stanley’s StockPlan Connect business.

It’s just another sad story of sophisticated hackers, sloppy security procedures, legacy systems, and human error. Any of which are potential security risks.

The biggest concerns are the delays in notifications to the financial institution, its vendor, and ultimately the investors whose personal data was purloined.

It happened when?

The story surfaced on the tech support site Bleeping Computer. Guidehouse notified Morgan Stanley of the data breach on May 20, 2021. Although the Accellion FTA vulnerability was patched within five days, way back in January 2021, Guidehouse did not learn its server, and Morgan Stanley data was hacked until March 2021.

In a disclosure filing to the New Hampshire Attorney General’s office, Morgan Stanley revealed details of the data breach and its impact:

“According to Guidehouse, the Accellion FTA vulnerability that led to this incident was patched in January 2021, within five days of the patch becoming available. Although the data was obtained by the unauthorized individual around that time, the vendor did not discover the attack until March of 2021 and did not discover the impact to Morgan Stanley until May 2021 due to the difficulty in retroactively determining which files were stored in the Accellion FTA appliance when the appliance was vulnerable. Guidehouse has informed Morgan Stanley that it found no evidence that Morgan Stanley’s data had been distributed beyond the threat actor.”

Although it involved a relatively small number of confidential investor data for 108 Morgan Stanley clients, it included the name; address (last known address); date of birth; Social Security number (if the participant had one); and corporate company name. Fortunately, it did not contain passwords that could be used to access financial accounts.

It feels like informing the customer (Morgan Stanley) and through them regulatory officials and ultimately affected investors should happen faster.

Security experts weigh in

Some of the security experts we spoke with are shaking their heads too at this latest security breach.

“This recent disclosure from Morgan Stanley serves as a stern reminder to all organizations who were previously, or currently are, using the Accellion FTA product that they must be prepared for additional hack disclosures. Businesses should be putting guardrails and safety measures in place for their consumer identities and data, as well as have a crisis management and recovery process ready,” said Alexa Slinger, an identity management expert at OneLogin.

The scale of the breach remains an open question. “As more breaches continue to trickle down, it remains unclear how many organizations are still using the Accellion FTA product, as well how many other breaches have remained undisclosed,” Slinger warned.

Saryu Nayyar, CEO of enterprise security consultants Gurucul, said that as many as 51% of businesses have experienced a data breach due to third parties that misused sensitive or confidential information.

Saryu Nayyar CEO Gurucul
Companies don’t appear to be carefully assessing the security and privacy practices of all third parties before granting them access to secure or confidential information, according to a recent SecureLink/Ponemon Institute report.

The same report noted 44% of businesses said they had experienced a third-party data breach in the past 12 months.

“Look out Morgan Stanley! The bigger they are, the harder they fall. Earlier this year, Kroger suffered a similar breach where a third party exploited the Accellion vulnerability. In Kroger’s case, a federal class-action lawsuit was filed because Accellion had encouraged customers to move to a newer and more secure file transfer platform. Now Morgan Stanley’s customers’ personally identifiable information has been breached due to this same attack vector,” Nayyar said.

Nayyar also wonders where that leaves Morgan Stanley customers. “Is Morgan Stanley staring down a class action lawsuit as well? Time will tell. And time is definitely not on Guidehouse’s side. Not encrypting the decryption key is a huge faux pas. It’s like locking your front door but leaving the windows wide open. It’s a costly mistake.”

Third-party security risks are preventable

Security experts say third-party data breaches and risks can be minimized by being more proactive and anticipating when, not if, a data breach will occur.

“Over 50% of recent data breaches have been directly linked to third-party suppliers and vendors. While most organizations have taken measures to secure remote employee access during the COVID-19 pandemic, it’s important to recognize that these third-party systems that are often credential (password) based remain a source of high risk,” noted Rajiv Pimplaskar, CRO at Veridium.

“Passwords can be guessed, reused, or even brute-forced by bad actors who can then access sensitive or Personally Identifiable Information (PII) information via lateral movement. It is imperative to implement modern authentication technologies with strong or passwordless Multi-Factor Authentication (MFA) to ensure a trusted end-to-end digital identity relationship with all suppliers,” Pimplaskar added.

Bleeping Computer has tracked data breaches of the 20-year-old Accellion product users and attributed them to the Clop ransomware gang and FIN11 threat group.

Among those affected so far are supermarket giant Kroger, Singtel, QIMR Berghofer Medical Research Institute, Reserve Bank of New Zealand, Australian Securities and Investments Commission (ASIC), technical services company ABS Group, law firm Jones Day, scientific Corporation Danaher, University of Colorado, and the Office of the Washington State Auditor.

Slinger says organizations must do more. “Businesses must mitigate the cybersecurity risks of legacy systems by conducting regular vulnerability assessments to determine areas of weakness, ensuring that the most recent patches are applied immediately and invest in additional layers of security for securing and monitoring their endpoints and network.,” she advised.

Meanwhile, businesses that use or used the Accellion FTA product in the past are nervously holding their breath for more potential data breach disclosures.

Morgan Stanley Data Breach

Share this page:

Related Posts