Morgan Stanley Breach: Part of a Concern-Raising Surge
By Roy Urrico
Morgan Stanley’s revelation of a January 2021 data breach involving the personal information of some of its corporate clients is further evidence of an ongoing surge in phishing, ransomware, and supply chain attacks affecting organizations across various sectors, including financial services. However, despite a troubling growth rate of data compromises, the number of individuals affected seems to be dropping, at least for now.
New York-based investment banking firm Morgan Stanley said in a letter dated July 2, 2021, the incident involved a third-party vendor: “Morgan Stanley was notified in May 2021 by Guidehouse, a vendor that provides account maintenance services to Morgan Stanley’s StockPlan Connect business, that it had suffered an information security incident.”
Guidehouse advised the bank that hackers exploited a series of now-patched vulnerabilities in Accellion FTA, a broadly used third-party file-transfer service that Guidehouse used to store files for Morgan Stanley. “Specifically, Morgan Stanley documents in the possession of Guidehouse containing the personal information of StockPlan Connect participants, including participants in New Hampshire, were obtained by an unauthorized individual.”
Morgan Stanley said the files obtained included names, addresses, birthdates, Social Security numbers (where provided), and corporate company names. Morgan Stanley noted data within these files did not contain passwords that could access financial accounts. Guidehouse informed Morgan Stanley that it found no evidence that the stolen Morgan Stanley data was made available online by threat actors.
Infosec Specialists React
Alexa Slinger, identity management expert at San Francisco-based OneLogin, which provides identity and access management solutions, commented: “This recent disclosure from Morgan Stanley serves as a stern reminder to all organizations who were previously, or currently are, using the Accellion FTA product that they must be prepared for additional hack disclosures.”
Slinger pointed out that businesses should have guardrails and safety measures in place for their consumer identities and data, as well as having crisis management and recovery processes ready. “Businesses must mitigate the cybersecurity risks of legacy systems by conducting regular vulnerability assessments to determine areas of weakness, ensuring that the most recent patches are applied immediately and invest in additional layers of security for securing and monitoring their endpoints and network.” Security efforts, she added, should include educating the public about phishing attempts, clarifying the ways a business will, and will not, contact the customer.
This incident also highlights the appropriate steps people should take in the case of a personal data compromise. “Consumers should always keep an eye on all of their online accounts, and enable credit monitoring to swiftly detect suspicious activity in their financial accounts,” Slinger said.
Al Pascual, the senior vice president of Data Breach Solutions at Boston-based Sontiq, an Intelligent Identity Security company, noted the Morgan Stanley breach had a risk level of 4 (on a 1-10 scale), according to BreachIQ, Sontiq’s patented algorithm that analyzes more than 1,300 data points of a breach. He pointed out key risks the breach created by virtue of compromised core personal identifiers (name, address, birthdate, and SSN) included possible fraudulent new credit, loan and financial account applications and access; as well as account takeover.
Why did the breach take so long to become public? “This breach started a couple of degrees removed from Morgan Stanley – and it took time to trickle down,” Pascual said. "All that said, delayed reporting inevitably works to the advantage of criminals who are afforded more time to target the consumers who were affected – opening up new accounts in their name and bypassing authentication controls on existing accounts using the information they gleaned.”
Pascual emphasized there is even the risk that Morgan Stanley customers could become targets for social engineering, where criminals use the customer list they have obtained to imitate the investment bank and attempt to manipulate its customers into sharing more information or even moving funds to accounts under a criminal’s control.
"Now, just because there was no evidence the data has been sold or misused by criminals – as purported by Guidehouse – this is in no way a guarantee that affected Morgan Stanley customers are safe,” Pascual explained. He noted criminals often keep sensitive data close to the vest rather than tout their haul on the dark web immediately and expose it to intelligence vendors on the lookout for data dumps and other compromised data. "But there is a very real possibility that it is being actively sold. Because why steal it, if you don’t plan on using it?”
Breaches on Record High/Low Courses
The El Cajon, Calif-based Identity Theft Resource Center (ITRC) in its First Half 2021 Data Breach Analysis, noted data breaches were up 38% in the second quarter of 2021 from this year’s first quarter. The ITRC suggested total data breaches could reach a new annual high on the current course. Interestingly, the number of individuals impacted by data compromise fell 20% percent quarter-over-quarter continuing a first half 2021 trend.
The total number of publicly reported data compromises accelerated in the second quarter, ending June 30, 2021 at 491; with the number of individuals impacted from reported incidents at 52.8 million. For the first half of 2021, the number of compromises total 846, or 76% of 2020’s total compromises; and victims added up to 118.6 million, or 38% of 2020’s total number of people impacted by data breaches, exposures and leaks.
The ITRC reported, “If the current trends continue, 2021 could end with a record-setting number of compromises, exceeding the current high-water mark of 1,632 set in 2017 and the lowest number of people impacted by data compromises since 2014.”
However, the number of people impacted by the rising number of data compromises is dropping at a rate that could result in fewer than 250 million victims by year’s end. The previous low was set in 2020 with 310 million victims, down from 2.5 billion in 2016.
Data compromises are rising across the board, with half of the sectors tracked by the ITRC showing increases. Manufacturing, utilities and professional services witnessed significant increases, while healthcare and retail saw a data compromises drop. Financial services had 132 attacks affecting 9,663,051 people compared to the first half of 2020 where 70 attacks affected 1,479,228.
“This dynamic reflects the broader trend of cybercriminals shifting their attacks to critical infrastructure and targets considered to be not as well defended in hopes of securing larger ransomware payments,” the ITRC analysis suggested.
A 19% rise in supply chain attacks, coupled with the total number of supply chain attacks in the first six months of 2021 (58) compared to the total number of malware-related compromises (70), indicates that third-party risks could surpass malware as the third most common root cause of data events. “The July 2, 2021 supply chain attack on Kaseya, a security software provider, is an indication the scope and complexity of supplier attacks linked to ransomware is also increasing,” said the ITRC in its report.
Other ITRC analysis findings:
· Phishing and ransomware remain the number one and number two root causes of data compromises for both the second quarter and first half.
· Supply chain attacks leading to data compromises continued to increase in the second quarter of 2021 with 32 new attacks compared to 27 in the first quarter, a 19% increase; and 292 organizations, including 285 impacted by cyberattacks, suffered from supply chain attacks, affecting an estimated 5.5 million individuals.