A cybercriminal stole personal information belonging to clients of investment bank Morgan Stanley in a data breach stemming from a vulnerability in one of its third-party IT suppliers.

In May, IT outsourcing firm Guidehouse notified Morgan Stanley that an attacker had accessed customers’ personal stock plan files stored on its servers.

Guidehouse, which provides maintenance services to Morgan Stanley’s StockPlan Connect, informed the financial services firm that client names, addresses, date of birth, social security numbers and company names had been stolen.

Verdict has asked Morgan Stanley how many customers were affected.

The attacker carried out the initial intrusion in January 2021 by exploiting a vulnerability in Accellion FTA, a file transfer service companies install on their servers to transfer large files.

Although the files were encrypted the attacker was “able to obtain the decryption key”, according to a data breach notification letter sent by Morgan Stanley to the New Hampshire attorney general.

Guidehouse first detected the breach in March, which meant the time from intrusion to notification was six months.

David Bicknell, principal thematic analyst at GlobalData, told Verdict: “If I was a corporate client, I might be somewhat miffed if I eventually found out about the breach six months later, even allowing for the fact that it involves a third-party vendor which probably slows down the overall reporting process.”

Passwords for financial accounts were not accessed during the hack and no Morgan Stanley systems were compromised.

Guidehouse said it will offer free credit monitoring services for 24 months to clients who had their data stolen.

Security news sit Bleeping Computer was the first to report the Morgan Stanley data breach.

Guidehouse said it patched the Accellion FTA in January, five days after the security fix was made available. But that was still enough time for the attacker to swoop in and exfiltrate the data.

Guidehouse said it has found no evidence that the stolen files have been distributed online.

Security experts said the Morgan Stanley data breach demonstrated how patching alone isn’t enough.

“Attackers might have already compromised the system, and since they define the rules of their attack, they might be waiting for a good time to actually launch the attack or release data already obtained,” said Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Centre. “Since the goal of patch management is protecting systems from compromise, patch management strategies should include reviews for indications of previous compromise – even if the software is already patched.”

The data breach is the latest example of a supply chain attack, in which hackers target a weak link in an organisation’s supply chain.

In some cases, it means an attacker can gain access to many organisations with one hack. The attack on IT vendor SolarWinds saw up to 18,000 organisations unwittingly download a malicious software update, while an exploit used against on-premises Microsoft Exchange Servers put an estimated 250,000 servers at risk.

This week, a cyberattack on IT vendor Kaseya saw up to 1,500 businesses globally hit by ransomware.

“With the software supply chains that power modern business including various service providers, periodic reviews of service provider relationships should also include verification that latent compromise isn’t present,” added Mackey.