Six months after attackers breached Accellion’s 20-year-old file-sharing product, Morgan Stanley confirmed in a letter that the Accellion cyberattackers stole personal information from their customers by hacking into the Accellion FTA server of Guidehouse, their third-party vendor.
According to an article from TechCrunch, Bleeping Computer first reported the letter from the investment banking firm where they admitted that threat actors took an unknown number of documents that contained addresses and social security numbers of their customers.
Related: What Pro AV Can Learn From Microsoft’s Work Trends Index
While the documents were encrypted, Morgan Stanley claims that Accellion cyberattack hackers obtained the decryption key but that the files did not contain passwords that could give the hackers access to their customers financial accounts.
“The protection of client data is of the utmost importance and is something we take very seriously,” a Morgan Stanley spokesperson told TechCrunch, reported in their article. “We are in close contact with Guidehouse and are taking steps to mitigate potential risks to clients.”
Numerous organizations have confirmed that they also were victims of the cyberattack that happened over six months ago and reported figures continue to grow, which raises the question of how good of a handle does Accellion have on the issue.
After the December 23 attack, the business software provider claimed that the FTA vulnerability was patched within 72 hours, but then was forced to reveal that they discovered new vulnerabilities. In March, Accellion provided an update stating that all known FTA vulnerabilities were remediated.
Incident responders claim that Accellion did not alert any of their customers about the potential danger to FTA quick enough and The Reserve Bank of New Zealand voiced concern over how quickly they were alerted by Accellion stating that they never got any alerts in December or January.
“In this instance, their notifications to us did not leave their system and hence did not reach the Reserve Bank in advance of the breach. We received no advance warning,” said RBNZ governor Adrian Orr, as reported in the Tech Crunch article.
KPMG International discovered that the email tool Accellion uses failed to work as software updates were issued by the vendor in December, but the email tool failed to deliver the notification.
Accellion made a strong effort in March to communicate to the public that they were planning to move on from the 20-year-old FTA product in April when they would transition to Kiteworks, and in May, announced that 75% of their customers had moved to the new product.
But this means 25% are still using the old product and, according to TechCrunch, Accellion is now taking a more “hands-off approach” to the attack which could mean that list of roughly 300 victims could continue to grow.
