The letter to affected Morgan Stanley customers states:
"On May 20, 2021, Morgan Stanley was notified by Guidehouse, a vendor that provides account maintenance services to Morgan Stanley’s StockPlan Connect business, that it had suffered an information security incident. Guidehouse advised us that data that it maintained for Morgan Stanley had been accessed through the Accellion FTA vulnerability... Although the files in Guidehouse’s possession were encrypted, we have been told by Guidehouse that the unauthorized individual was able to obtain the decryption key during the security incident, due to the Accellion FTA vulnerability."
A copy of the complete letter, dated July 2, is posted here.
Where MSSPs Should Focus
We'll be watching to see if the New York State Department of Financial Services (DFS) issues a comment or guidance about the data heist. DFS is very active on the cybersecurity front, and occasionally fines financial services firms for data breaches and exposures. DFS also provides important guidance that MSSPs (managed security services providers) can leverage as they work in and around the financial services market, particularly in New York.
Meanwhile, some MSSPs and MDR service providers are weighing in on the breach. In a prepared statement, CriticalStart CTO Randy Watkins said:
“While Guidehouse will face blowback for taking months to notice and disclose the breach, this is, unfortunately, not uncommon. Attackers can routinely dwell in environments for months before being discovered, if at all. With so much dwell time, attackers can move laterally and establish persistence throughout the network to maintain an entry into the Guidehouse environment. This difficult to enumerate and remove while not being actively used by the attacker. This persistence can be used to access the environment to steal additional information, or potentially launch a ransomware attack across the enterprise.
Morgan Stanley responded appropriately by notifying affected customers, though the steps to remediate the third party breach, and any subsequent steps taken to validate third party security likely won’t be disclosed to the public. The Accellion vulnerability was widely publicized, and has been patched. However, with many organizations struggling to consistently patch all assets, there will likely be some additional disclosures in the future.”
CriticalStart is an MDR service provider based in Texas.
Morgan Stanley Supply Chain Data Breach: What's At Risk
The Morgan Stanley breach was first reported by Bleeping Computer. According to that report, Morgan Stanley says that the documents stolen during this incident contained:
- Stock plan participants' names
- Addresses (last known address)
- Dates of birth
- Social security numbers
- Corporate company names
This is the latest in a growing list of data breaches traced back to Accellion vulnerabilities that were discovered in December 2020. Accellion, which patched the vulnerabilities, specializes in secure file sharing and collaboration software. The company develops an enterprise content firewall leveraged by more than 3,000 global corporations, government organizations, hospitals and universities. Key investors include Baring Private Equity Asia and Bregal Sagemount.
Cybercriminals have repeatedly exploited the Accellion FTA zero-day vulnerabilities to steal and extort data from various global organizations.