Leading investment banking firm Morgan Stanley reported that hackers accessed its customers’ sensitive information in a third-party data breach.
In a July 2 letter to the New Hampshire Attorney General’s office, the bank said that Guidehouse disclosed that hackers had accessed customers’ records in the Accellion hack. Guidehouse offers account maintenance services to Morgan Stanley’s StockPlan Connect business.
Morgan Stanley is among the hundreds of customers compromised via the Accellion FTA vulnerability first reported in December 2020.
Other victims include Jones Day, Shell, Qualys, the Reserve Bank of New Zealand, Singtel, Kroger, the Office of the Washington State Auditor (“SAO”), the Australian Securities and Investments Commission (ASIC), among others.
Third-party data breach exposed Morgan Stanley’s decryption key
The Accellion hack leaked Morgan Stanley’s encrypted files under Guidehouse’s possession. The hackers also managed to obtain the decryption key in the third-party data breach first reported by Bleeping Computer.
However, the data did not include any security credentials like passwords that could allow the hackers to access customers’ financial accounts.
However, it included personally identifiable information (PII) like customers’ names, addresses, dates of birth, social security numbers, and company names.
Morgan Stanley disclosed that 108 New Hampshire residents were affected by the third-party data breach. However, the investment bank did not disclose the total number of customers exposed in the Accellion hack.
“The protection of client data is of the utmost importance and is something we take very seriously,” the company said. “We are in close contact with Guidehouse and are taking steps to mitigate potential risks to clients.”
Morgan Stanley’s Accellion hack was discovered almost half a year later
Guidehouse said it patched the Accellion FTA vulnerability within 5 days after the company released security fixes in January 2021. However, the company said that the threat actors had obtained the files by then.
Additionally, the company did not discover the Accellion hack until March 2021, and that Morgan Stanley was affected until later in May 2021. Guidehouse said the delay was caused by the “difficulty in retroactively determining which files were stored in the Accellion FTA appliance.”
It, however, assured the public that it had no evidence that the stolen data had been distributed. Reuters reported that the bank had recovered the stolen files and monitored the dark web for any leakages. The bank had also engaged the credit monitoring firm Experian to monitor the victims’ accounts for 24 months.
Clop ransomware gang suspected of hacking Morgan Stanley
Although the threat actor responsible for the third-party data breach remains unknown, the Clop and FIN11 ransomware gangs were suspected of being responsible. The Clop ransomware gang had earlier demanded payment from various companies affected by the Accellion hack.
The hackers exploited an SQL injection vulnerability in the 20-year-old legacy system to gain access and install the DEWMODE web shell, according to Mandiant, which responded to the initial Accellion hack.
Some victims criticized Accellion for the poor handling of the initial data breach. For example, the Reserve Bank of New Zealand complained that Accellion delayed sending alerts immediately after discovering the intrusion. The delay denied the victims the opportunity to take precautionary measures in advance.
Similarly, within 72 hours of the first security incident, Accellion claimed that it had fixed all vulnerabilities, only for new ones to emerge.
Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, said that organizations needed to have emergency security patching given the speed at which threat actors capitalized on system vulnerabilities.
“It’s also critical for organizations to understand that their customer data is still their own responsibility, even when shared with a vendor,” Clements added. “As part of a considered approach to working with any vendor is the acknowledgment that doing so broadens the organization’s attack surface and taking steps to mitigate risk contractually and by being as selective as possible with the amount and duration of time that data is shared.”
Alexa Slinger, an identity management expert at OneLogin, noted that the security incident was a warning to all companies still using the Accellion FTA appliance.
“Businesses must mitigate the cybersecurity risks of legacy systems by conducting regular vulnerability assessments to determine areas of weakness, ensuring that the most recent patches are applied immediately and invest[ing] in additional layers of security for securing and monitoring their endpoints and network. Efforts should be made to educate the public about phishing attempts, clarifying the ways a business will and will not contact the customer,” Slinger said.
“Earlier this year, Kroger suffered a similar breach where a third party exploited the Accellion vulnerability,” noted Saryu Nayyar, CEO at Gurucul. “In Kroger’s case, a federal class-action lawsuit was filed because Accellion had encouraged customers to move to a newer and more secure file transfer platform.
“Now Morgan Stanley’s customers’ personally identifiable information has been breached due to this same attack vector. Where does that leave these customers? Is Morgan Stanley staring down a class action lawsuit as well?”
Rajiv Pimplaskar, CRO at Veridium pointed out that 50% of leaks were third-party data breaches.
“While most organizations have taken measures to secure remote employee access during the COVID-19 pandemic, it’s important to recognize that these 3rd party systems that are often credential (password) based remain a source of high risk,” Pimplaskar continued. “Passwords can be guessed, reused or even brute-forced by bad actors who can then access sensitive or Personally Identifiable Information (PII) information via lateral movement.”
He recommended the adoption of “modern authentication technologies with strong or passwordless Multi-Factor Authentication (MFA) to ensure a trusted end-to-end digital identity relationship with all suppliers.”