Morgan Stanley announces breach of customer SSNs through Accellion FTA vulnerability

The company sent a letter to New Hampshire’s Attorney General about the incident.

Morgan Stanley has notified New Hampshire Attorney General John Formella that one of it's vendors was attacked through the Accellion FTA vulnerability and that some customer information -- including Social Security numbers -- was accessed. 

In a letter dated July 2, Morgan Stanley said that Guidehouse, a vendor that provides account maintenance services to Morgan Stanley's StockPlan Connect business, informed them on May 20 that it had been hacked. 

The information of some StockPlan Connect participants, including those in New Hampshire, were "obtained by an unauthorized individual." Morgan Stanley said it "regularly" sends a secure file to Guidehouse of existing StockPlan long shareholders scheduled for escheatment and "engages Guidehouse to obtain current contact information for these StockPlan participants prior to the escheatment process commencing."

"Although the files in Guidehouse's possession were encrypted, we have been told by Guidehouse that the unauthorized individual was able to obtain the decryption key during the security incident, due to the Accellion FTA vulnerability," the company said, adding that passwords for financial accounts were not accessed during the breach. 

"The files obtained from the vendor included the following participant information: name; address (last known address); date of birth; Social Security number (if the participant had one); and corporate company name."

Guidehouse told Morgan Stanley that the attacker gained access to the information in January but that they did not discover the attack until March, waiting another two months to then tell Morgan Stanley. 

Guidehouse defended its actions to Morgan Stanley, claiming the Accellion FTA vulnerability was patched "within 5 days of the patch becoming available" and that they waited until May to notify Morgan Stanley because of the "difficulty in retroactively determining which files were stored in the Accellion FTA appliance when the appliance was vulnerable."

In a statement to ZDNet, a Morgan Stanley spokesperson said the "protection of client data is of the utmost importance and is something we take very seriously."   

"We are in close contact with Guidehouse and are taking steps to mitigate potential risks to clients," the spokesperson said. 

Breach notification letters have already been sent out to those who have been affected by the incident. 

The company said it is providing any victims in New Hampshire with 24 months of free credit monitoring services from Experian and will "arrange to provide codes to our corporate clients or directly to New Hampshire residents as applicable." It did not say whether people in other states were affected. 

The Accellion FTA vulnerability has been used widely by cybercriminals to launch an array of attacks against some of the biggest companies in the world. 

The Clop ransomware group became well-known for attacking companies using old versions of the Accellion FTA file-sharing server like Stanford Medicine and Bombardier. The Reserve Bank of New Zealand, the University of Maryland Baltimore, Washington State Auditor, the University of California and cybersecurity firm Qualys are just a few of the victims attacked by Clop members through the Accellion vulnerability. 

Kroger and Shell have also faced attacks through Accellion FTA vulnerability. Accellion announced the end-of-life for the FTA product in February due to the spate of attacks.