Morgan Stanley announced Thursday, July 8, 2021, that the personal data of some of its clients have been compromised due to a data breach in which its third-party vendor, Guidehouse, has been involved. Tech Crunch states that Guidehouse makes use of the Accellion FTA server that has been compromised.
Morgan Stanley is one of the leading investment banking firms. It provides its clients with a wide range of services such as investment banking, wealth management, investment management, securities, and more.
The revelation comes six months after the incident, reveals Tech Crunch. The breach was previously reported by Bleeping Computer. The hackers gained unauthorized access to the server in question in January 2021 and were exposed for five days prior to the vendor issuing a patch.
Bleeping Computer said that Guidehouse only discovered the server breach in March this year, while the impact to Morgan Stanley customers was only revealed to the company this May.
In a letter dated July 2, 2021, the bank said that its third-party vendor, Guidehouse, informed them about their involvement in a data security incident last May 20, 2021. ZD Net states that Guidehouse provides Morgan Stanley account maintenance services to its StockPlan Connect business.
Among the information compromised in the incident and accessed by hackers include client names and their corporate company numbers, reports Bleeping Computer. In addition to these, the social security numbers, as well as the addresses and dates of birth of the clients have also been accessed.
The bank also acknowledged that the threat actors stole the decryption key, albeit the documents have been encrypted. Despite this, the company maintained that the files obtained from the Guidehouse Accellion FTA server did not include the passwords of clients.
The credentials required to gain access to customers’ financial accounts at Morgan Stanley also remain safe, notes Bleeping Computer.
In a statement, the bank spokesperson said, “The protection of client data is of the utmost importance and is something we take very seriously. We are in close contact with Guidehouse and are taking steps to mitigate potential risks to clients.”
Following the incident, Guidehouse announced that it has terminated the use of the compromised Accellion server, shared Bloomberg. The company has also informed the authorities about the data breach.
In a statement, a spokesperson for Guidehouse said, “We have already contacted clients whose information may have been impacted and are assisting them with making all appropriate notifications to individuals. There is no disruption of our operations and our internal systems were not compromised in any way by this issue.”