.png?width=200&height=78&name=CH%20Diligence%20(thicker%20line).png "CH Diligence (thicker line).png")
Know Your Breach: Morgan Stanley
Jul 9, 2021 2:13:09 PM
The target: Morgan Stanley, an investment banking firm providing banking, securities, and wealth management services worldwide.
The take: Stock plan participant’s names, addresses, dates of birth, social security numbers, corporate company names.
The attack vector: The breach occurred within a third-party vendor, Guidehouse, used by Morgan Stanley. Guidehouse in turn was using Accelion’s FileTransferApplication, which had been compromised earlier this year. Using a known exploit in Accelion’s FTA service, attackers were able to penetrate Guidehouse’s systems and access files Morgan Stanley had stored there. While the data was encrypted, access to the decryption key was also not secure, allowing the attackers to steal and read the data.
This incident highlights the ease with which a single breach can lead to a pivot into other systems. While Morgan Stanley’s own systems were not at risk, their data was stored with a third-party who failed to fully secure their own systems by using an exploited piece of software. The cascading nature of data breaches cannot be understated, and every effort should be made by firms to secure their data no matter where it is being stored.
