Morgan Stanley Customers Fear Identity Theft After Accellion Data Breach

Identity Theft fears are on the minds of Morgan Stanley customers, as the investment banking firm has reported a data breach after attackers stole personal information belonging to its customers by hacking into the Accellion FTA server of a third-party vendor. Morgan Stanley is one of the leading global financial services firms, operating in 41 countries. The company serves corporations, governments, institutions, and individuals.

Guidehouse, a third-party maintenance service to Morgan Stanley, notified the company in May 2021 that hackers had breached an Accellion FTA server to steal information belonging to Morgan Stanley stock plan participants. The server was breached using an exploit that was highlighted by Accellion in January. It is believed the server was running unpatched, hence the attack working.

Initially, it was believed that because the data was encrypted, there was no fear of alarm with regard to identity theft. However, the hackers obtained the decryption keys during the attack.

Morgan Stanley says that the documents stolen during this incident contained:

• Stock plan participants’ names
• Addresses
• Dates of birth
• Social security numbers
• Corporate company names

The company added that the files stolen from Guidehouse’s FTA server did not contain passwords information or credentials that the threat actors could use to gain access to impacted Morgan Stanley customers’ financial accounts.

“The protection of client data is of the utmost importance and is something we take very seriously,” a Morgan Stanley spokesperson told BleepingComputer. “We are in close contact with Guidehouse and are taking steps to mitigate potential risks to clients.”

While much of the information being leaked is trouble, SSNs in particular are the keys to identity theft.

While the attackers’ identity was not disclosed in Morgan Stanley’s data breach notification, a joint statement published by Accellion and Mandiant from February shed more light on the attacks, directly linking them to the FIN11 cybercrime group.

The Clop ransomware gang has also used an Accellion FTA zero-day vulnerability (disclosed in December 2020) to steal data from multiple companies.

Since the Accellion discovery in January, many corporations have been caught with exploits due to running legacy systems.

The Dangers of Identity Theft

Identity Theft can be absolutely devastating for an individual. Usually, in the world of malware, we know certain things can be harmed. Our devices may need to be replaced, we may lose access to accounts for a few days or even forever, we may even need to pay a ransom for access to our data. The point is, with most types of Malware, we can eventually rebuild, though it may take longer than we anticipate. The fallout from identity theft is much longer.

Once your stolen information is used once, it can take anywhere from a few days to six months for that one incident. But your information is out there for a very, very long time. This means you could end up dealing with identity theft for many years, even decades.

Identity Theft has been around for a very long time and predates our modern technology by thousands of years. There have always been individuals that try to impersonate others for their own gain, financial or otherwise. However, the internet’s birth and wide adoption have led to new attack vectors, dwarfing any possible past attempts.

Now more than ever do we have data tied into our personal identity. Email addresses, banking numbers, phone numbers, social security numbers, home addresses – All of these and more form a picture of us as lines in a database.

And when this information falls into the wrong hands, it can do a lot of damage. Bank accounts can be drained, and your credit rating can get rattled; you can end up with medical bills or even a criminal record. The list of potential mishaps that can arise from identity theft is endless.

To hackers, identity theft represents a lucrative stream of income, and they can very easily cover their tracks. After they have seized personal information, they sell it on the dark web. This information can be sold over time, repeatedly, meaning that if you notice your identity has been stolen and used, it can be used in several instances over a long period of years.

There are some guidelines from the US government in discovering if you are a victim of identity theft if it is not immediately obvious:

• You stop receiving your regular bills and credit card statements.
• You receive statements for accounts you never opened.
• Debt collectors start calling you day and night about debts you’ve never heard of.
• The IRS alleges you failed to report income for a company you never worked for.
• You see withdrawals/charges on your bank or credit card statement that you didn’t make.
• You try to file your taxes only to discover that someone else beat you to it.
• You try to file your taxes and find someone claimed your child as a dependent already.
• Your credit report includes lines of credit you never opened.
• Your credit score fluctuates wildly and for no apparent reason.
• The most obvious sign—you receive a notification that you’ve been the victim of a data breach.
• If you are unsure, it is always best to check with the authorities on the US government’s identity theft website.