Morgan Stanley disclosed a data breach after cybercriminals gained access to personally identifiable information through a third-party vendor.
The investment bank was notified of the situation in May 2021 by Guidehouse, a technology consultant that provides account maintenance services for its stock plan management service. The exposed data included customer names, dates of birth, Social Security numbers and company names, according to a letter the firm sent to New Hampshire’s Attorney General.
Morgan Stanley is the latest in a long string of businesses affected by cybercriminals who exploited a vulnerability in the popular file-transfer software Accellion. Other victims affected by the exploited software flaw include the global energy firm Shell, multinational law firm Jones Day, Australian Securities and Investments Commission, Office of the Washington State Auditor, Stanford University, cybersecurity firm Qualys, Flagstar Bank, and others.

The incident draws attention to third-party risks faced by the financial sector. Guidehouse provides services to financial clients, including GRC solutions, loan and loan guarantee services, financial management and financial regulatory advisory services, anti-money laundering, and fraud prevention.