Morgan Stanley has disclosed that some of its corporate customers had their data stolen following a data breach at a third-party vendor.

The data breach involved Guidehouse Inc., a company that provides account maintenance services to Morgan Stanley’s StockPlan Connect Business. The data breach took place in January and was initially discovered by Guidehouse in March, with the link to Morgan Stanley later found in May. Morgan Stanley informed those affected in a letter dated July 2, according to Reuters.

The data stolen included client names, addresses, date of birth and corporate company names.

The attack vector involved hackers exploiting a vulnerability in software from Accellion Inc. used by Guidehouse. The form of attack was not disclosed, previous Accellion FTA-related attacks have involved the Clop ransomware gang.

Guidehouse claims that they have found no evidence that the stolen data has been distributed online. That said, in previous Clop attacks, stolen data has been published on the dark web, a shady corner of the internet reachable with special software. A person familiar with the matter told Reuters that the bank is monitoring the dark web for any evidence of client information be posted.

Known victims of Accellion FTA-related data breaches include Bombardier Inc., Jones Day, the Office of the Washington State Auditor, Qualys Inc. and Royal Dutch Shell plc., The full number of victims may never be precisely known, with estimates that around 300 customers were using the vulnerable software when the attacks started and that less than 100 were affected.

“Today, we’ve seen yet another third-party vendor vulnerability expose personally identifiable information,” Stephan Chenette, co-founder and chief technology officer of security optimization platform provider AttackIQ Inc., told SiliconANGLE. “Although the PII of Morgan Stanley’s customers was encrypted, the information was stored on third-party partner’s servers that were breached and the encryption key to decrypt those files was also stolen.”

Although there is no evidence of the stolen data making its way onto the dark web as yet, Chenette believes it is highly likely that it will end up for sale.

“Organizations must take proactive approaches to protect their data and be extra vigilant in testing the security controls protecting organizational encryption keys,” Chanette added. “This should include mapping organizational capabilities and security controls to specific attack scenarios to measure their preparedness to detect, prevent and respond to these threats.”

Photo: Alex Proimos/Wikimedia Commons