"On May 20, 2021, Morgan Stanley was notified by Guidehouse, a vendor that provides account maintenance services to Morgan Stanley’s StockPlan Connect business, that it had suffered an information security incident. Guidehouse advised us that data that it maintained for Morgan Stanley had been accessed through the Accellion FTA vulnerability... Although the files in Guidehouse’s possession were encrypted, we have been told by Guidehouse that the unauthorized individual was able to obtain the decryption key during the security incident, due to the Accellion FTA vulnerability."
Where MSSPs Should Focus
We'll be watching to see if the New York State Department of Financial Services (DFS) issues a comment or guidance about the data heist. DFS is very active on the cybersecurity front, and occasionally fines financial services firms for data breaches and exposures. DFS also provides important guidance that MSSPs (managed security services providers) can leverage as they work in and around the financial services market, particularly in New York.Meanwhile, some MSSPs and MDR service providers are weighing in on the breach. In a prepared statement, CriticalStart CTO Randy Watkins said:“While Guidehouse will face blowback for taking months to notice and disclose the breach, this is, unfortunately, not uncommon. Attackers can routinely dwell in environments for months before being discovered, if at all. With so much dwell time, attackers can move laterally and establish persistence throughout the network to maintain an entry into the Guidehouse environment. This difficult to enumerate and remove while not being actively used by the attacker. This persistence can be used to access the environment to steal additional information, or potentially launch a ransomware attack across the enterprise.
Morgan Stanley responded appropriately by notifying affected customers, though the steps to remediate the third party breach, and any subsequent steps taken to validate third party security likely won’t be disclosed to the public. The Accellion vulnerability was widely publicized, and has been patched. However, with many organizations struggling to consistently patch all assets, there will likely be some additional disclosures in the future.”
Morgan Stanley Supply Chain Data Breach: What's At Risk
The Morgan Stanley breach was first reported by Bleeping Computer. According to that report, Morgan Stanley says that the documents stolen during this incident contained:- Stock plan participants' names
- Addresses (last known address)
- Dates of birth
- Social security numbers
- Corporate company names