Software maker Fortra told its corporate customers that their data was safe — even when it wasn’t — following a ransomware attack on its systems, TechCrunch has learned.
As we have been reporting, the Clop ransomware gang exploited a newly discovered bug in Fortra’s GoAnywhere file transfer software, used by thousands of organizations to transfer sensitive data over the internet. The bug allowed the ransomware gang to hack in and carry out a mass ransomware attack on January 31. The Russia-linked Clop gang claimed it compromised about 130 organizations that were using the vulnerable GoAnywhere tool at the time of the ransomware attack.
Now, new victims are coming to light.
Consumer goods giant Procter & Gamble confirmed to TechCrunch that it was “one of the many companies affected by Fortra’s GoAnywhere incident” and that hackers had obtained some information of its employees as a result. Healthcare and wellness program provider US Wellness also disclosed this week that consumers’ personal and protected health data may have been compromised because of a third-party breach. TechCrunch has learned that US Wellness was a GoAnywhere customer at the time of the ransomware attack.
As the number of victims grows, more details are also beginning to come to light about how Fortra handled the incident.
TechCrunch has heard from two victim organizations that only learned that data had been exfiltrated from their GoAnywhere systems after they each received a ransom demand. Both organizations had been previously told by Fortra that their data was unaffected by the ransomware attack.
One of the organizations told TechCrunch that they realized the situation had changed when it was contacted by the purported hackers but said that the organization has not entered into any negotiations or paid a ransom demand.
When asked about this by email, Fortra spokesperson Rachel Woodford would not comment but did not dispute what the two organizations had told us or that Fortra had told customers their data was safe. Fortra did not make CISO Chris Reffkin available for an interview.
The full impact of the mass-hack resulting from the GoAnywhere vulnerability remains unknown. Fortra would not say, despite repeated requests by TechCrunch, if the company’s in-house GoAnywhere systems storing customers’ data were compromised during the ransomware attack.
The Clop ransomware gang has added dozens of new victims to its dark web leak site over the past few days — including payment software startup AvidXchange, investment giant Onex, the U.K.’s Pension Protection Fund, and the City of Toronto — all of which were identified by TechCrunch as organizations that used vulnerable GoAnywhere file transfer software at the time of the breach, along with dozens of other organizations.
It follows other additions to its leak pages, including Colombian energy giant Grupo Vanti, Australian gambling giant Crown Resorts, and Medex Healthcare.
Fortra has not yet publicly confirmed its January breach beyond an inaccessible advisory on its website. Fortra’s most recent press release on March 16 announced that the company had been awarded “best cybersecurity company” by the Cybersecurity Excellence Awards, an industry award paid for by submitting companies and which Fortra sponsors.
If you know more about the Fortra bug or breach, you can contact Carly Page securely on Signal at +441536 853968, or by email. You can also contact Zack Whittaker on Signal and WhatsApp at +1 646-755-8849 or firstname.lastname@example.org. You can also reach us via SecureDrop.