Morgan Stanley StockPlan Connect Reports Data Breach
Call Us

Morgan Stanley StockPlan Connect Data Breach

Posted on behalf of Arnold Law Firm on July 12, 2021 in Data Breach. Updated on February 24, 2022

NOTICE: If you are a current or former Morgan Stanley StockPlan Connect business account holder, current or former StockPlan participant, or current or former StockPlan Shareholder and received a NOTICE OF DATA BREACH, contact the Arnold Law Firm at (916) 777-7777 to discuss your legal options.

Morgan Stanley data breachOn May 20, 2021 Morgan Stanley was notified by Guidehouse, a vendor that provides account maintenance services to Morgan Stanley’s StockPlan Connect business, that it had suffered a data breach. Guidehouse advised Morgan Stanley that data it maintained for Morgan Stanley had been accessed through the Accellion FTA vulnerability. Although the files in Guidehouse’s possession were encrypted, the unauthorized party was able to obtain the decryption key during the data breach.

Morgan Stanley reviewed Guidehouse’s remediation of the data breach. According to Guidehouse, the Accellion FTA vulnerability that led to this data breach was patched in January 2021, within 5 days of the patch becoming available. Although the data was obtained by the unauthorized individual around that time, the vendor did not discover the attack until March of 2021, and did not discover the impact to Morgan Stanley until May 2021.

On July 2, 2021, Morgan Stanley reported to the California Attorney General’s office that on January 20, 2021, an unauthorized party accessed Morgan Stanley’s vendors’ server, containing encrypted files from Morgan Stanley. The attack was successful through a vulnerability in the vendor’s server, Accellion FTA. While the exposure was patched within five days, the unauthorized party accessed the encrypted files along with the decryptor.

WHAT INFORMATION WAS INVOLVED?

On July 2, 2021, Morgan Stanley began to send out four versions of the data breach letter to affected individuals notifying them of the Data Breach. Together, the letters include the following exposed data:

  • First and Last names
  • Addresses
  • Dates of Birth
  • Social Security numbers
  • Corporate Company names

Morgan Stanley has engaged credit firm, Experian to offer free credit monitoring services for 24 months for those affected by the data breach.

According to Morgan Stanley, they are still assessing the extent of the attack and will be providing affected individuals with a data breach letter. At this time, it is unclear how many letters are expected to go out.

NOTICE: If you are a current or former Morgan Stanley StockPlan Connect business account holder, current or former StockPlan participant, or current or former StockPlan Shareholder and received a NOTICE OF DATA BREACH, contact the Arnold Law Firm at (916) 777-7777 to discuss your legal options.