In news that should be alarming to business owners everywhere, Morgan Stanley, a leading global financial services firm, is reporting they were hacked back in May 2021.
Their customers' personal data were stolen during a hack that targeted the Accellion FTA server of Guidehouse, Morgan Stanley's third-party vendor.
The breach of the Guidehouse server occurred in January but was only discovered in March, meaning the hackers were in the system for several months. They got access via a downstream server processing a subtask, exploiting an Accellion FTA vulnerability that was patched by the vendor within five days of the fix becoming available.
Despite the legacy server being over twenty years old, Guidehouse had stored Morgan Stanley's encrypted files on it. This layer of encryption didn't do much to deter the threat actors, as they managed to maintain the decryption key during the attack.
The documents stolen during this incident included addresses, dates of birth, social security numbers, corporate company names and stock plan participants' names. They did not include password information or credentials that the threat actors could use to gain access to impacted Morgan Stanley customers' financial accounts.
Morgan Stanley provides security, wealth and investment management services worldwide, to clients including governments, corporations, institutions and individuals in more than 41 countries.
The company has directly notified and apologised to their clients affected by the breach and offered them a two-year free subscription to a credit report monitoring service. For investment minded people, any potential damage to their financial rating by a data breach is going to be damaging to their prospects, which this subscription helps compensate.
Whilst the attacker’s identity has not been disclosed by Morgan Stanley, Accellion and Mandiant, an American cybersecurity firm, have linked the attack in a joint statement to the FIN11 cybercrime group. FIN11, also known as the Clop ransomware gang, is a financially motivated hacker group renowned for its increasingly aggressive ransomware attacks.
They have been known to conduct up to five high volume campaigns a week and have used other vulnerabilities in the Accellion FTA system to steal data from multiple companies.
These companies include supermarket giant Kroger, energy giant Shell, cybersecurity firm Qualys, Singtel, the Office of the Washington State Auditor, the Australian Securities and Investments Commission, the Reserve Bank of New Zealand, and an abundance of other organisations and universities.
So, what can businesses learn from incidents like this?
Firstly, don't allow sensitive data, especially that which relates to your clients, to stay on a vulnerable, outdated server. Even if it is encrypted, the risks are too severe.
Secondly, the aftermath of a data breach is costly in more ways than one. Morgan Stanley offering a free credit report monitoring service to their clients is the right thing to do, but it is costly.
Don't be put in a situation where you have to burn your hard earned bills to compensate your clients. Invest in your cybersecurity now, and you can avoid costs later.
Costs which include damage to your reputation.
Financial compensation can never make up for the fact that your clients' data was compromised, and now they might think twice about trusting you with it in the future.
To safeguard your business against these consequences, you should work to maintain a security first mindset. Invest in the cyber security of your business and the awareness of your employees. And most importantly, never ever underestimate the risks.
Thanks to Jp Valery from Unsplash for the image