The number of victims affected by a mass-ransomware attack, caused by a bug in a popular data transfer tool used by businesses around the world, continues to grow as another organization tells TechCrunch that it was also hacked.
The City of Toronto told TechCrunch in a revised statement on March 23: “Today, the City of Toronto has confirmed that unauthorized access to City data did occur through a third party vendor. The access is limited to files that were unable to be processed through the third party secure file transfer system.”
“The City is actively investigating the details of the identified files,” said city spokesperson Alex Burke.
TechCrunch initially contacted the city on March 20 for comment after identifying it as an organization that used the GoAnywhere file transfer software at the time of the ransomware attack. The city said its review found “no exfiltration of internal data, nor residents’ data.”
TechCrunch has learned of dozens of organizations that used the affected GoAnywhere file transfer software at the time of the breach, suggesting more victims are likely to come forward.
Over the past few days, the Russia-linked Clop gang has added dozens of other organizations to its dark web leak site, which it uses to extort companies further by threatening to publish the stolen files unless a financial ransom demand is paid.
Canadian financing giant Investissement Québec confirmed to TechCrunch that “some employee personal information” was recently stolen by a ransomware group that claimed to have breached dozens of other companies. Spokesperson Isabelle Fontaine said the incident occurred at Fortra, previously known as HelpSystems, which develops the vulnerable GoAnywhere file transfer tool.
Hitachi Energy also confirmed this week that some of its employee data had been stolen in a similar incident involving its GoAnywhere system, but saying the incident happened at Fortra.
However, while the number of victims of the mass-hack is widening, the known impact is murky at best.
Since the attack in late January or early February — the exact date is not known — Clop has disclosed less than half of the 130 organizations it claimed to have compromised via GoAnywhere, a system that can be hosted in the cloud or on an organization’s network that allows companies to securely transfer huge sets of data and other large files.
It isn’t clear if Fortra, which has not publicly commented on the incident, knows yet which customers are affected. When reached by email prior to publication, Fortra spokespeople Mike Devine and Rachel Woodford would not comment or provide answers to any of our questions, including whether Fortra’s in-house GoAnywhere systems hosting customers’ data were also hit by the mass-hack.
Details only came to light on February 2 after independent security reporter Brian Krebs first reported details of the bug, which Fortra had hidden behind a login screen on its website. Fortra released security fixes for GoAnywhere five days later on February 7.
By then, the hackers had already stolen reams of data from numerous victims.
Healthcare giant Community Health Systems, one of the largest healthcare providers in the United States, was first to confirm that it was one of the 130 alleged companies fallen victim to the hack, saying at least 1 million patients had their health information stolen from its affected GoAnywhere system. Digital finance giant Hatch Bank was next to confirm a breach linked to the GoAnywhere bug, then cybersecurity giant Rubrik. The list continues to grow.
Listed companies deny data thefts
It’s not clear if Clop yet knows what data it has stolen in its digital smash-and-grab. TechCrunch contacted some of the organizations known to use GoAnywhere that were recently added to Clop’s leak site. Several responded saying that they were unaffected.
Payment software startup AvidXchange, one of Clop’s latest additions, told TechCrunch that while it uses GoAnywhere to transfer files to a specific company that prints its checks, the company does not store any data on Fortra’s platform.
“Our forensics further prove our conclusion on this matter,” said AvidXchange spokesperson Olivia Sorrells. “Fortra notified AvidXchange of the vulnerability, remediation, and the results of their investigation regarding AvidXchange’s GoAnywhere account the week that the [vulnerability] was announced,” the spokesperson said. “GoAnywhere took AvidXchange’s instance offline once GoAnywhere became aware of the incident to further prevent unauthorized access to the platform.”
Clop’s leak site says that data from AvidXchange is “coming soon.”
Department store giant Saks Fifth Avenue, which was added to Clop’s leak site this week, tells TechCrunch that the hackers exploited the GoAnywhere flaw to steal mock customer data from its systems. “The mock customer data does not include real customer or payment card information and is solely used to simulate customer orders for testing purposes,” said Saks spokesperson Nicola Schoenberg.
A number of other organizations recently added to Clop’s site declined to comment when asked if their GoAnywhere systems — most believed to be hosted by Fortra — were affected.
That includes Swiss pharmaceutical giant Galderma, whose spokesperson Christian Marcoux declined to answer our questions; healthcare call center provider ITx Companies, whose CEO Philip Gower declined to comment; child mental health startup Brightline, whose CEO Naomi Allen deferred to spokesperson John O’Connor, who declined to comment; events planner Emerald Expositions, whose spokesperson Beth Cowperthwaite declined to comment; and MedMinder, whose spokesperson Stacy Clougherty said MedMinder is “aware of the allegations” but declined to comment further while the company investigates.
None of the companies disputed that they are GoAnywhere customers.
Clop has released samples of data allegedly stolen from Onex, seen by TechCrunch, including W-9 tax forms, payment orders and employee information, including names, gender and email addresses. Onex did not return requests for comment.
Other identified GoAnywhere users did not respond to multiple requests for comment, including Canadian rehab and mental health provider Homewood Health, England-based affordable housing provider Guinness Partnership, retail banking company Avidia Bank, Medex Healthcare, Cornerstone Home Lending and Colombian energy giant Grupo Vanti.
Lorenzo Franceschi-Bicchierai contributed.
Updated on March 23 to include a new statement from the City of Toronto confirming that its GoAnywhere system was compromised, revising an earlier statement it issued on March 20 saying that there had been “no exfiltration” of data.
If you know more about the Fortra bug or breach, you can contact Carly Page securely on Signal at +441536 853968, or by email. You can also contact Zack Whittaker on Signal and WhatsApp at +1 646-755-8849 or firstname.lastname@example.org. You can also contact TechCrunch via SecureDrop.