- Morgan Stanley suffered a data breach after one of its vendors discovered a compromise through the Accellion file transfer appliance (FTA) vulnerability, according to a July 2 breach notification disclosure letter obtained by Bleeping Computer.
- Management consulting firm Guidehouse provides account maintenance services for Morgan Stanley's StockPlan Connect business, a stock plan management service companies offer to their employees, according to the letter. Guidehouse discovered it was compromised from the Accellion incident in March, but did not discover the breach of Morgan Stanley data in its possession until May.
- While Guidehouse quickly patched the Accellion FTA vulnerability in January, attackers already obtained personally identifiable information — including names, dates of birth and Social Security numbers — of Morgan Stanley customers, according to the letter. While the files were encrypted, the bad actor accessed the decryption key during the incident.
While there was no breach of Morgan Stanley applications, the bank was still subject to an incident through a supply chain attack. In this case, a compromise further up the supply chain, the vendor of a Morgan Stanley vendor, led to the incident.
"We are in close contact with Guidehouse and are taking steps to mitigate potential risks to clients," a Morgan Stanley spokesperson told Cybersecurity Dive. Guidehouse could not be reached for comment.
The Accellion incident is just one of many supply chain attacks companies have had to contend with in the past year. Hacks of SolarWinds, Microsoft Exchange and, more recently, Kaseya have created headaches for companies trying to ensure security of their systems.
Now, the threats extend beyond the security perimeter, and breaches can happen through networked vendors or those in possession of proprietary data.
"What a lot of these threat actors are looking for is a foothold that they can then go downstream and compromise," said Jason Firch, co-founder and CEO/CMO at cybersecurity company PurpleSec.
In this case, Morgan Stanley was caught in the backspray of a large compromise, which is difficult to prevent unless every detail of their vendor's technology ecosystem is scrutinized.
A regulators has penalized Morgan Stanley for its handling of data before. The Office of the Comptroller of the Currency (OCC) fined the bank $60 million in October for failing to properly oversee the decommissioning of two data centers connected to its wealth management business in 2016.
The bank hired a third-party vendor to wipe data from servers and other hardware, but some customer information remained on the equipment after it was sold to a recycler.
"[W]e concluded that it would be very difficult for anyone to access or misuse the data, given what we believe subsequently happened to those devices and the fact that many of the devices had design features that made it unlikely that data was accessed or misused," the bank's field management chief, Vince Lumia, wrote in a July 2020 memo. "We have continuously monitored the situation — looking not only for data associated with our current clients, but any information indicating a breach of Morgan Stanley client data — and have not detected any unauthorized activity related to the incident."
Nonetheless, plaintiffs in a class-action lawsuit filed against the bank in August claimed "the missing equipment and servers contain everything unauthorized third parties need to illegally use Morgan Stanley's current and former customers' [personal identifiable information] to steal their identities and to make fraudulent purchases," according to American Banker.
Morgan Stanley "failed to effectively assess or address risks associated with decommissioning its hardware; failed to adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance; and failed to maintain appropriate inventory of customer data stored on the decommissioned hardware devices," the OCC said in October, adding the bank had seen similar "vendor management control deficiencies" in 2019, when it decommissioned other hardware.
Easier point of entry
Banks spend hundreds of millions, if not billions, of dollars every year to protect their digital footprint, Firch said.
"From a threat actor perspective, they're not going to go after Morgan Stanley," he said. "It would take ... an advanced persistent threat or, like, a nation-state actor who can afford to allocate the resources and who can be patient enough to break into the systems in order to compromise them."
An easier entry point is to find a flaw and circumvent all that security investment, Firch said.
Accellion has a growing list of customers affected by the vulnerability in its legacy FTA product. Although the firm identified and quickly released a patch for a vulnerability in December, it later found other exploits for its FTA product. Affected organizations include the Office of the Washington State Auditor, the law firm Goodwin Procter, grocery chain Kroger and cloud security firm Qualys.
The software company remediated all vulnerabilities related to its legacy FTA by March 1, and moved up the date of the FTA's end-of-life to April 30, according to the company. In its analysis of the incident, FireEye Mandiant found exploits of the FTA in December and January.