Morgan Stanley has joined the growing list of victims of the Axelion hack – more than six months after the attackers first violated the seller’s 20-year-old file-sharing product. The investment banking firm – which is not known for data breaches – confirmed in a letter this week that the attackers hacked into its third-party vendor’s Guide House’s Excelsion FTA server and stole its customers’ personal information.
In a letter addressed to the victims, first reported by Sleeping Computer, Morgan Stanley admitted that the threatening actors stole an unknown number of documents containing customer addresses and social security numbers. The documents were encrypted, but the letter said the hackers also received a decryption key, although Morgan Stanley said the files did not contain passwords that could be used to access customers’ financial accounts.
“Client data security is of paramount importance and this is something we take very seriously,” a Morgan Stanley spokesman told TechCrunch. “We are working closely with the guide house and taking steps to minimize potential risks to clients.” Just days before the Morgan Stanley data breach was reported, an Arkansas-based healthcare provider confirmed that it was also the victim of a data breach as a result of the Axelion attack. A few weeks before that, UC Berkeley did the same.
Although data breaches have a tendency to grow past past reported statistics, more than six months later organizations are still being exposed as victims of asylum, proving that business software providers have yet to get a handle on it. Cyberattack was first unveiled on December 23 and Axelion initially claimed that the FTA vulnerability was patched within 72 hours after it was forced to explain that new vulnerabilities had been discovered. The next (and final) update to Axelion came in March, when the company claimed that all known FTA vulnerabilities – which authorities said were exploited by FIN11 and Klopp Ransomware thugs – had been remedied.
Respondents to the incident, however, said that Axelion’s response to the incident was not as smooth as it had been, claiming that the agency was slow to raise awareness of potential dangers to FTA customers.