CUSO-News---Payments-Report

close

Categories

More Tags

Subscribe to Email Updates

Popular Stories

Pay-by-Bank: Anticipating the Next Wave of Innovations
Understanding Enumeration Attacks and How to Prevent Them
Travel Disruption Just Became Easier with Visa's Digital Card Replacement
What It Means to Have a World Class NPS
Combatting AI-Powered Fraud wtih AI-Powered Fraud Prevention
Written by Cyndie Martini
on July 27, 2021

Morgan Stanley is the latest victim of a supply chain hack. Given the high levels of security and encryption that banks and credit unions install into their systems, you might be wondering how MS was hacked.

As with any breakdown, the vulnerability resides with the weakest link. Yes - banks and credit unions are highly secure, but they also use a lot of third-party software. Financial institutions can't be aware of every vulnerability that may be lurking within these third-party applications. While third parties do take precautions to ensure against vulnerabilities, creating software is a complex business, and no software can be made 100% foolproof.

The MS hack was due to a vulnerability in Accellion's legacy File Transfer Appliance (FTA), a supply chain application. FTA is an enterprise file transfer application. FTA is used in conjunction with another third-party application called Guidehouse. Guidehouse provides stock plan management services to Morgan Stanley's employees.

The compromise started with an attack on Guidehouse. From there, the attacker was able to exploit the vulnerability in FTA with a zero-day attack. The Guidehouse breach occurred in January, but the vendor did not immediately detect it. MS was not notified about the breach until May.

A zero-day attack isn't a specific hacking technique. It just means that a hacker found a vulnerability before the vendor. 

The end result is that the attacker gained access to the encrypted data of 108 New Hampshire residents. While this data was encrypted, the attacker obtained the encryption keys and decrypted all of the data. This exposed the victim's names, addresses, dates of birth, Social Security numbers, and corporate company names.

On the plus side, none of the data was published. However, the attacker still has it. MS did not mention if customer data from other states were also compromised.

Let Us Know What You Thought about this Post.

Put your Comment Below.

You may also like:

Cybersecurity

NCUA Provides a Tool for Credit Unions to Evaluate their Security

It looks like Russian hackers are back at it. Due to this threat, NCUA and several federal agencies have issued cybersec...

Cybersecurity

Cybersecurity Is Biggest Concern For Banks In 2021

When CSI polled banks about their most significant concern for 2021, the answer was cybersecurity at 34%, by far the lar...

Cybersecurity

Clever Phishing Emails Target Employees

In another sign that hackers are exploiting the pandemic, Area 1, a security firm, recently released a report about a ph...