The American financial giant Morgan Stanley has notified the authorities that a third-party vendor has leaked data on the company’s clients.
Personal information fell into the hands of third parties due to an attack on the outdated file-sharing service Accellion FTA (File Transfer Application). Attacks on it have been observed since December 2020, and even then FireEye analysts linked this activity with the FIN11 hacker group and warned that more than 100 companies had become victims of cybercriminals.
As part of this campaign, hackers exploited four vulnerabilities in the FTA ( CVE-2021-27101 , CVE-2021-27102 , CVE-2021-27103 CVE-2021-27104 ). The Accellion developers released several waves of fixes for these bugs, but each time they emphasized that FTA has long been an outdated product, and urged their customers to migrate to the new Kiteworks platform. As a result, the company said at all that it would finally stop supporting the FTA from April 30, 2021.
According to the developers of Accellion, among the approximately 300 FTA clients, “less than 100” were victims of attacks, and among them less than 25 were affected by data theft. FireEye clarified that some of these 25 customers are being blackmailed, and hackers are demanding a ransom from them.
As it turns out, one of the organizations hit by the FTA attack is Guidehouse, which provides account maintenance services to Morgan Stanley StockPlan Connect.
In a letter sent to the New Hampshire attorney general’s office, Morgan Stanley reports that Guidehouse informed them in May 2021 that unknown attackers were using the Accellion FTA to access Morgan Stanley data that included personal information of StockPlan Connect members.
The files stolen in this way were encrypted, but, according to the company, the attacker “was able to obtain the decryption key during the hack due to a vulnerability in Accellion FTA.” The stolen documents contained names, addresses, dates of birth, social security numbers of StockPlan Connect members, as well as company names.
Interestingly, Guidehouse employees discovered what happened in March 2021, although the attack took place back in January. At the same time, Morgan Stanley was generally notified of the incident only two months later, in May, explaining that it was difficult to determine in hindsight what files were stored in the Accellion FTA device when it was jailbroken.
It is known that as a result of this attack, the data of 108 New Hampshire residents were affected, but the company does not disclose how many more people may have become victims of this leak.