Personal information belonging to clients of the leading investment bank Morgan Stanley have been stolen following a data breach stemming from a vulnerability in one of its third-party IT suppliers. 

In a letter to the New Hampshire Attorney’s General office in July, the bank said that the IT outsourcing film Guidehouse had disclosed that hackers had accessed customers’ records in the Accellion hack. 

The Accellion hack leaked Morgan Stanley’s encrypted files under Guidehouse’s possession. The hackers also managed to obtain the decryption key in the third-party data breach. 

Whilst the data did not include any security credentials, it included personally identifiable information (PII) like customers’ names, addresses, dates of birth, social security numbers, and company names. 

The bank disclosed that 108 New Hampshire residents were impacted, but did not reveal the total number of clients exposed.

“The protection of client data is of the utmost importance and is something we take very seriously,” the company said. “We are in close contact with Guidehouse and are taking steps to mitigate potential risks to clients.”

First reported in December 2020, the Accellion FTA vulnerability was patched within 5 days after Guidehouse released security fixes in January 2021. However, by then the hackers had obtained the files. 

The hack was only discovered until March 2021, and Morgan Stanley was affected until later in May 2021. 

Guidehouse said the delay was caused by the “difficulty in retroactively determining which files were stored in the Accellion FTA appliance.”

Guidehouse has assured that it had no evidence that the stolen data had been distributed.

The Accellion FTA vulnerability also impacted other companies including Jones Day, Shell, Quays, Kroger, Singtel and more. 


Missed PrivSec Global’s livestream experience?

No problem, simply CLICK HERE to access the sessions on demand