Morgan Stanley falls prey to lingering effects of Accellion breach

Dive Brief:

Morgan Stanley suffered a data breach after one of its vendors discovered a compromise through the Accellion FTA vulnerability, according to a July 2 breach notification disclosure letter obtained by Bleeping Computer.
Management consulting firm Guidehouse provides account maintenance services for Morgan Stanley's StockPlan Connect business, a stock plan management service companies offer to their employees, according to the letter. Guidehouse discovered it was compromised from the Accellion incident in March, but did not discover the breach of Morgan Stanley data in its possession until May.
While Guidehouse quickly patched the Accellion FTA vulnerability in January, attackers already obtained personally identifiable information — including names, dates of birth, corporate company name and social security numbers — of Morgan Stanley's customers according to the letter. While the files were encrypted, the bad actor accessed the decryption key during the incident.

Dive Insight:

While there was no breach of Morgan Stanley applications, the investment firm was still subject to an incident through a supply chain attack. In this case, a compromise further up the supply chain, the vendor of a Morgan Stanley vendor, led to the incident.

"We are in close contact with Guidehouse and are taking steps to mitigate potential risks to clients," a Morgan Stanley spokesperson told Cybersecurity Dive. Guidehouse could not be reached for comment.

The Accellion incident is just one of many supply chain attacks companies have had to contend with in the last year. SolarWinds, Microsoft Exchange and recently Kaseya have created headaches for companies trying to ensure security of their systems.

Now, the threats extend beyond the security perimeter and breaches can happen through networked vendors or those in possession of proprietary data.

"What a lot of these threat actors are looking for is a foothold that they can then go downstream and compromise," said Jason Firch, co-founder and CEO/CMO at cybersecurity company PurpleSec.

In this case, Morgan Stanley was caught in the backspray of a large compromise, which is difficult to prevent unless every detail of their vendor's technology ecosystem was scrutinized.

Banks spend hundreds of millions if not billions of dollars every year to protect their digital footprint, Firch said.

"From a threat actor perspective, they're not going to go after Morgan Stanley," he said. "It would take like an advanced persistent threat or like a nation-state actor who can afford to allocate the resources and who can be patient enough to break into the systems in order to compromise them."

An easier entry point is to find a flaw and circumvent all that security investment, Firch said.

Accellion has a growing list of customers affected by the vulnerability in its legacy File Transfer Appliance product. While the firm identified and quickly released a patch for a vulnerability in December, the company later found other exploits for its FTA product. Organizations affected include the Office of the Washington State Auditor, Goodwin Procter, Kroger and cloud security firm Qualys.

The software company remediated all vulnerabilities related to its legacy FTA by March 1, and moved up the date of the FTA's end-of-life to April 30, according to the company. In analysis of the incident, FireEye Mandiant found exploits of the FTA in December and January.