Although the files were encrypted, the attackers were able to obtain the decryption key during the data breach
Morgan Stanley discloses that personal data of some of its corporate clients was stolen in a data breach in January involving a third-party vendor, in which hackers accessed information, including social security numbers of some clients.
Guidehouse, a vendor that provides account maintenance services to Morgan Stanley’s StockPlan Connect business, notified the bank of the data breach in May, the bank said in a letter dated 2 July.
Client names, addresses, date of birth, social security numbers and corporate company names were included in the files stolen, the bank said.
Attackers gained access to the information by exploiting vulnerability in Guidehouse’s server Accellion FTA. The vulnerability was patched within five days.
Although the files were encrypted, the attackers were able to obtain the decryption key during the data breach, the bank said.
“We are in close contact with Guidehouse and are taking steps to mitigate potential risks to clients”, a bank spokesperson said.
The hack, reported earlier by technology news portal Bleeping Computer, was discovered in March by Guidehouse and its impact on Morgan Stanley was found in May, the letter said.