BACKGROUND:
Morgan Stanley confirmed a client data breach through their third party vendor Guidehouse. Guidehouse provides account maintenance services to Morgan Stanley’s StockPlan Connect business. Although the data was encrypted, the attackers also stole encryption keys. The attackers exploited an Accellion FTA vulnerability in January of this year. The files stolen included: name; address (last known address); date of birth; Social Security numbers and corporate company name.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
<p>When a patch is issued for software that has been actively exploited, simply patching the software and moving on isn’t the best path. Attackers might have already compromised the system, and since they define the rules of their attack, they might be waiting for a good time to actually launch the attack or release data already obtained. Since the goal of patch management is protecting systems from compromise, patch management strategies should include reviews for indications of previous compromise – even if the software is already patched. With the software supply chains that power modern business including various service providers, periodic reviews of service provider relationships should also include verification that latent compromise isn’t present.</p>
<p>This recent disclosure from Morgan Stanley serves as a stern reminder to all organizations who were previously, or currently are, using the Accellion FTA product that they must be prepared for additional hack disclosures. Businesses should be putting guardrails and safety measures in place for their consumer identities and data, as well as have a crisis management and recovery process ready.</p>
<p>Businesses must mitigate the cyber security risks of legacy systems by conducting regular vulnerability assessments to determine areas of weakness, ensuring that the most recent patches are applied immediately and invest in additional layers of security for securing and monitoring their endpoints and network. Efforts should be made to educate the public about phishing attempts, clarifying the ways a business will and will not contact the customer.</p>
<p>This incident also highlights the need for consumers to be educated on what to do in the case of their personal data being compromised and the appropriate steps to take. Consumers should always be keeping an eye on all of their online accounts, and enable credit monitoring to swiftly detect suspicious activity in their financial accounts.</p>
<p>As more breaches continue to trickle down, it remains unclear how many organizations are still using the Accellion FTA product, as well how many other breaches have remained undisclosed.</p>
<p>Over 50% of recent data breaches have been directly linked to 3rd party suppliers and vendors. While most organizations have taken measures to secure remote employee access during the COVID-19 pandemic, it’s important to recognize that these 3rd party systems that are often credential (password) based remain a source of high risk. Passwords can be guessed, reused or even brute forced by bad actors who can then access sensitive or Personally Identifiable Information (PII) information via lateral movement. It is imperative to implement modern authentication technologies with strong or passwordless Multi Factor Authentication (MFA) to ensure a trusted end to end digital identity relationship with all suppliers.</p>
<p>Look out Morgan Stanley! The bigger they are, the harder they fall. Earlier this year, Kroger suffered a similar breach where a third party exploited the Accellion vulnerability. In Kroger’s case, a federal class-action lawsuit was filed because Accellion had encouraged customers to move to a newer and more secure file transfer platform. Now Morgan Stanley’s customers’ personally identifiable information has been breached due to this same attack vector. Where does that leave these customers? Is Morgan Stanley staring down a class action lawsuit as well? Time will tell. And time is definitely not on Guidehouse’s side. Not encrypting the decryption key is a huge faux pas. It’s like locking your front door but leaving the windows wide open. It’s a costly mistake.</p>