Add Morgan Stanley to List of Accellion FTA Hack VictimsVendor to Bank Was Using the Vulnerable File Transfer Appliance
Investment banking giant Morgan Stanley is the latest company to report a data breach tied to zero-day attacks on Accellion's legacy File Transfer Appliance - yet another indicator of the sustained impact of supply chain attacks. FTA-related incidents, which led to extortion efforts by the Clop ransomware group, first were detected last December.
In a letter to New Hampshire Attorney General John Formella, the company revealed that it had sustained a data breach after an attacker compromised Guidehouse, a third-party vendor providing stock plan management services to Morgan Stanley's employees. Guidehouse used the vulnerable Accellion FTA.
Although Guidehouse was hacked in January, the bank says it was notified of the breach in May because the vendor did not immediately detect the breach.
As a result of the hack, the bank notes, the attackers accessed encrypted data of 108 New Hampshire residents as well the decrypting keys to these files. While the number of victims is low, particularly in comparison with other recent breaches, the exposed data includes victim names, addresses, dates of birth, Social Security numbers and corporate company names.
"Morgan Stanley has reviewed Guidehouse’s remediation of the incident. According to Guidehouse, the Accellion FTA vulnerability that led to this incident was patched in January 2021, within five days of the patch becoming available," the letter notes. "Guidehouse has informed Morgan Stanley that it found no evidence that Morgan Stanley’s data had been distributed beyond the threat actor."
When asked for further clarification on whether bank customers in other states were affected, a Morgan Stanley spokesperson said: “We are not providing further comment. ... The protection of client data is of the utmost importance and is something we take very seriously. We are in close contact with Guidehouse and are taking steps to mitigate potential risks to clients.”
Many organizations worldwide have been affected by the zero-day attack on vulnerable Accellion FTA installations.
In a recent development, grocery and pharmacy chain Kroger settled a class action lawsuit stemming from a breach tied to FTA. Kroger acknowledged it paid a ransom to the ransomware group Clop in exchange for the return of data stolen as a result of the hack of its FTA system.
Other victims have included New Zealand's Reserve Bank, Singapore telecom company Singtel and Australian medical research institute QIMR Berghofer, and Qualys.
Impact of Supply Chain Hacks
Clearly, supply chain attacks can have long-term impacts, says Alec Alvarado, threat intelligence team lead at security firm Digital Shadows.
"The fact that the impact of the Accellion FTA vulnerability is still unravelling results from the cascading effect of third-party attacks," he says. "Understanding the extent of the breach requires looking at not only Accellion customers, but also the people and companies the customers serve. This all-too-timely example parallels the recent Kaseya-REvil incident, which is still being worked out and will continue to do so in the coming months, much like the Accellion incident."