(Reuters) – Morgan Stanley has revealed that personal data about some of its corporate customers was stolen in January in a data breach involving a third-party provider and hackers gained access to information, including social security numbers.
Stolen files also included client names, addresses, dates of birth and company names.
The bank's provider, Guidehouse, which provides account maintenance services to its StockPlan Connect business, informed it of the breach in May, Morgan Stanley said in a letter dated July 2.
The bank said the attackers gained access to information by exploiting a vulnerability on the vendor's server, Accellion FTA. While the exposure was patched within five days, the attackers received an encryption key even though the files were encrypted.
Guidehouse informed the bank that there was no evidence that the stolen data had been distributed online.
A person familiar with the matter said that the files have been restored and the bank is monitoring the dark web for any evidence to publish client information.
The seller has meanwhile committed the credit company Experian to offer free credit monitoring services for 24 months for customers who may have been affected by the intrusion, the person said.
“The protection of client data is of the utmost importance and is something we take very seriously. We have close contact with Guidehouse and take measures to mitigate potential risks for customers, says a bank spokesman.
The hack, previously reported by technology news portal Bleeping Computer, was discovered in March by Guidehouse and its impact. at Morgan Stanley was found in May, the bank said.