Morgan Stanley is the latest victim of a supply chain hack. Given the high levels of security and encryption that banks and credit unions install into their systems, you might be wondering how MS was hacked.
As with any breakdown, the vulnerability resides with the weakest link. Yes - banks and credit unions are highly secure, but they also use a lot of third-party software. Financial institutions can't be aware of every vulnerability that may be lurking within these third-party applications. While third parties do take precautions to ensure against vulnerabilities, creating software is a complex business, and no software can be made 100% foolproof.
The MS hack was due to a vulnerability in Accellion's legacy File Transfer Appliance (FTA), a supply chain application. FTA is an enterprise file transfer application. FTA is used in conjunction with another third-party application called Guidehouse. Guidehouse provides stock plan management services to Morgan Stanley's employees.
The compromise started with an attack on Guidehouse. From there, the attacker was able to exploit the vulnerability in FTA with a zero-day attack. The Guidehouse breach occurred in January, but the vendor did not immediately detect it. MS was not notified about the breach until May.
A zero-day attack isn't a specific hacking technique. It just means that a hacker found a vulnerability before the vendor.
The end result is that the attacker gained access to the encrypted data of 108 New Hampshire residents. While this data was encrypted, the attacker obtained the encryption keys and decrypted all of the data. This exposed the victim's names, addresses, dates of birth, Social Security numbers, and corporate company names.
On the plus side, none of the data was published. However, the attacker still has it. MS did not mention if customer data from other states were also compromised.