Hatch Bank says hackers used Fortra bug to steal 140,000 customer Social Security numbers

Hatch Bank, a digital-first bank that provides infrastructure for fintech companies offering their own brand credit cards, confirmed hackers exploited a zero-day vulnerability in the company’s internal file transfer software that allowed access to thousands of customer Social Security numbers.

The vulnerability in Fortra’s GoAnywhere file-transfer software came to light on February 2 after security journalist Brian Krebs publicly shared details of Fortra’s security advisory because the tech company had put the advisory behind a login prompt.

The Clop ransomware gang claimed to have exploited the zero-day flaw, tracked as CVE-2023-0669, to steal data from more than 130 organizations. Community Health Systems, one of the largest healthcare providers in the United States, was the first victim to publicly disclose it had fallen victim to the zero-day bug. Hatch Bank, this week, became the second known victim.

In its data breach notification filed with Maine’s attorney general this week, Hatch Bank said that attackers exploited the vulnerability in its GoAnywhere system to steal the names and Social Security numbers of close to 140,000 customers, including 630 individuals based in Maine.

Hatch Bank said that while Fortra (previously known as HelpSystems) learned of the vulnerability in its GoAnywhere software on January 29, the tech company didn’t notify Hatch Bank until February 3 — one day after Krebs revealed news of the GoAnywhere flaw. It’s unclear if these incidents are linked and Fortra declined to answer TechCrunch’s questions.

The notification warned that hackers had unauthorized access to Hatch’s account from January 30 to January 31. “Hatch Bank immediately took steps to secure its files and then launched a diligent and comprehensive review of relevant files to determine the information that may have been impacted,” the bank said in a letter sent to impacted customers on Monday. The bank says that it has also notified federal law enforcement.

The bank says it’s providing those affected by the breach with access to free credit monitoring services. It also said it is working to implement unspecified “additional safeguards” internally, along with cybersecurity training for its employees.

Jer Wood, president at Hatch Bank, did not respond to TechCrunch’s questions.

The scale of the fallout from the GoAnywhere vulnerability remains unknown, but Clop’s claims suggest that many more victims have not yet come forward. Security experts were also quick to liken the flaw to an earlier zero-day flaw affecting Accellion’s legacy file transfer appliance (FTA), which was used to compromise a number of organizations, including Qualys, Shell, the University of Colorado, Kroger and Morgan Stanley.