Morgan Stanley says the personal information of stock plan participants has been stolen after a third-party vendor suffered a data breach thanks to a vulnerability with file sharing software from vendor Accellion.
In breach notification letters sent to those affected - first reported by Bleeping Computer - Morgan Stanley reveals that it is the latest firm to be affected by the Accellion vulnerability.
Guidehouse, the vendor that provides account maintenance services to Morgan Stanley's StockPlan Connect business, discovered a breach in March and that it had affected Morgan Stanley customers in May, when it informed the bank.
Crooks stole files containing StockPlan-related documents. While the files were encrypted, the hackers also managed to obtain the decryption key.
The documents contain stock plan participants' names, addresses, dates of birth, social security numbers and corporate company names. Passwords to obtain access to financial accounts were not compromised.
There is no evidence that the data has been distributed by the hackers. This is in contrast with a recent Accellion-related incident at Flagstar Bank, which saw crooks post the personal details of several employees of Flagstar Bank - and threaten to post more if they did not receive a payment.
The vulnerability has affected dozens of firms, with the Reserve Bank of New Zealand and the Australian Securities and Investments Commission identifying themselves as victims.