US multinational financial services and investment banking enterprise Morgan Stanley recently reported it had suffered a data breach as a result of attackers stealing customer data when they successfully hacked the Accellion FTA server employed by a third-party vendor.

The New York-headquartered firm is an international financial services leader providing investment and wealth management, securities, and dedicated investment banking services worldwide. Morgan Stanley’s current client base includes world governments, corporations, institutions, and private individuals situated in over 41 different countries.

Decryption key and encrypted data records seized

The third-party vendor Guidehouse provides the part of Morgan Stanley’s business known as StockPlan Connect with dedicated account maintenance services. The vendor notified the US investment banking firm back in May this year that threat operators had hacked into the Accellion FTA server it used in order to steal data belonging to participants in Morgan Stanley’s stock plan.

Guidehouse’s server was accessed without authorisation using a known exploit in the Accellion FTA. The hackers managed to take advantage of the vulnerability in January, months earlier than the third-party vendor used the available security patch to protect it.

Guidehouse uncovered the breach back in March but discovered the impact on Morgan Stanley’s customers later in May. At this point, it informed the multinational of the matter and confirmed that it could found no evidence of the data stolen being spread over the internet by the cybercriminals behind the attack.

Morgan Stanley commented on the leak:

“There was no data security breach of any Morgan Stanley applications. The incident involves files which were in Guidehouse’s possession, including encrypted files from Morgan Stanley.”

Unfortunately, while the files stolen were encrypted on Guidehouse’s server, during the attack the cybercriminals managed to also obtain their dedicated decryption key. The stolen data records contained the names of participants in the stock plans, personal addresses, social security numbers, company names and dates of birth, but no financial account credentials like usernames and passwords were exposed.

A spokesperson for the investment banking firm added:

“The protection of client data is of the utmost importance and is something we take very seriously. We are in close contact with Guidehouse and are taking steps to mitigate potential risks to clients.”

Threat actors behind the attacks

Although the recent breach notification did not state the hacker gang responsible for the incident, a statement issued by Accellion and cybersecurity firm Mandiant, first published in February shows a potential link between the attacks and the group known as FIN11.

The infamous Clop ransomware outfit also has a history of using a zero-day vulnerability in the Accellion FTA server to steal information from numerous enterprises.

Accellion estimates that around 300 customers utilised the legacy version of the FTA software, and fewer than 100 of them experienced attacks. So far, threat actors exploiting the vulnerability have attacked a wide range of high-profile targets, including banking institutions in Australia and New Zealand, international fuel companies like Shell, and multiple US government offices, enterprises and universities.