Morgan Stanley on Thursday disclosed that a data breach at one of its contractors led to the theft of personal information about some customers whose stock accounts had gone dormant.
The bank said in a notice to affected clients that the cyber intrusion affected Guidehouse LLP, a consulting company that Morgan Stanley uses to find current addresses for clients of its stock-plan business whose accounts had been inactive for long periods of time and whose assets were at risk of being liquidated and turned over to the state. The exposed information included customer names, dates of birth, Social Security numbers and company names but not passwords to access the accounts, the bank said.
The breach was previously reported by Bleeping Computer.
Morgan Stanley said Guidehouse discovered the breach in May and that it involved exploitation of a vulnerability in file-transfer software from Accellion Inc., whose products have been the target of a range of advanced attacks that were discovered in December.
“The protection of client data is of the utmost importance and is something we take very seriously,” Morgan Stanley said in a statement. It declined to comment on how many clients were affected. “We are in close contact with Guidehouse and are taking steps to mitigate potential risks to clients.”
In a statement, Guidehouse said it discontinued use of the breached Accellion system and alerted authorities to the intrusion. “We have already contacted clients whose information may have been impacted and are assisting them with making all appropriate notifications to individuals. There is no disruption of our operations and our internal systems were not compromised in any way by this issue.”
Subscribe to Fortune Daily to get essential business stories straight to your inbox each morning.
