CUSO-News---Payments-Report

close

Categories

More Tags

Subscribe to Email Updates

Popular Stories

The Quick On Visa’s 8-Digit Bin Migration
cred.ai — The Newest Card Provider Targeting Millennials & Gen Z
Do Credit Unions Have A High Barrier To Entry Problem?
PSCU to Offer Buy Now, Pay Later Solution
Clever Phishing Emails Target Employees
Written by Cyndie Martini
on July 27, 2021

Morgan Stanley is the latest victim of a supply chain hack. Given the high levels of security and encryption that banks and credit unions install into their systems, you might be wondering how MS was hacked.

As with any breakdown, the vulnerability resides with the weakest link. Yes - banks and credit unions are highly secure, but they also use a lot of third-party software. Financial institutions can't be aware of every vulnerability that may be lurking within these third-party applications. While third parties do take precautions to ensure against vulnerabilities, creating software is a complex business, and no software can be made 100% foolproof.

The MS hack was due to a vulnerability in Accellion's legacy File Transfer Appliance (FTA), a supply chain application. FTA is an enterprise file transfer application. FTA is used in conjunction with another third-party application called Guidehouse. Guidehouse provides stock plan management services to Morgan Stanley's employees.

The compromise started with an attack on Guidehouse. From there, the attacker was able to exploit the vulnerability in FTA with a zero-day attack. The Guidehouse breach occurred in January, but the vendor did not immediately detect it. MS was not notified about the breach until May.

A zero-day attack isn't a specific hacking technique. It just means that a hacker found a vulnerability before the vendor. 

The end result is that the attacker gained access to the encrypted data of 108 New Hampshire residents. While this data was encrypted, the attacker obtained the encryption keys and decrypted all of the data. This exposed the victim's names, addresses, dates of birth, Social Security numbers, and corporate company names.

On the plus side, none of the data was published. However, the attacker still has it. MS did not mention if customer data from other states were also compromised.

Let Us Know What You Thought about this Post.

Put your Comment Below.

You may also like:

Cybersecurity

Cybersecurity Is Biggest Concern For Banks In 2021

When CSI polled banks about their most significant concern for 2021, the answer was cybersecurity at 34%, by far the lar...

Cybersecurity

Clever Phishing Emails Target Employees

In another sign that hackers are exploiting the pandemic, Area 1, a security firm, recently released a report about a ph...

Cybersecurity

Pandemic Cybercrime Continues To Evolve

We've written many times about how cybercriminals are taking advantage of the pandemic to try and exploit bank and credi...