Cyber Incident Victim: Emerald Expositions
Date:
Jan 2023
Location:
United States of America
Summary
A mass-ransomware attack exploiting a vulnerability in Fortra's GoAnywhere secure file transfer tool impacted numerous organizations, including Emerald Expositions. The Russia-linked Clop gang claimed compromise of approximately 130 entities, leveraging stolen data for extortion by threatening public leaks on their dark web site. While some victims like Community Health Systems confirmed large-scale health data theft affecting over a million patients, others including the events planner denied actual data exfiltration or downplayed impacts as involving non-sensitive test information. Fortra's delayed disclosure and patch release enabled widespread exploitation, though many affected organizations—several confirming employee or operational data theft—remained non-committal about breach specifics during investigations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The mass-ransomware attack exploiting a vulnerability in Fortra's GoAnywhere MFT (Managed File Transfer) software emerged in late January or early February 2023, though the precise initial compromise date remains undetermined. The Russia-linked Clop ransomware gang exploited a zero-day vulnerability in the widely used enterprise file transfer tool, which Fortra had initially documented behind a login-protected advisory on its website. Independent security researcher Brian Krebs publicly disclosed details of the flaw on February 2, prompting Fortra to release security patches on February 7. By that time, attackers had already exfiltrated data from numerous organizations using both cloud-hosted and on-premises instances of GoAnywhere. Clop subsequently claimed to have compromised 130 organizations through this campaign, though fewer than half were publicly named on its dark web leak site as of March 2023.
Healthcare provider Community Health Systems became the first confirmed victim on February 14, disclosing the theft of protected health information for over 1 million patients. Subsequent confirmations included Hatch Bank, Rubrik, Hitachi Energy, and Investissement Québec, with the latter confirming theft of employee personal information via Fortra's compromised systems. Multiple organizations added to Clop's leak site in March—including Emerald Expositions, Saks Fifth Avenue, Galderma, ITx Companies, Brightline, and MedMinder—either declined to comment or provided limited statements when contacted by TechCrunch. Emerald Expositions' spokesperson Beth Cowperthwaite declined to comment on whether their GoAnywhere instance was compromised but did not dispute their status as a GoAnywhere customer. Saks Fifth Avenue acknowledged theft of mock customer data used for testing, while AvidXchange asserted no production data was stored in its GoAnywhere environment despite being listed by Clop. The City of Toronto revised its initial denial on March 23, confirming unauthorized access through its third-party GoAnywhere system but maintaining no resident data was exfiltrated. Impact assessments remained inconsistent across victims, with Clop gradually leaking samples of stolen data—including W-9 forms, payment records, and employee PII from Onex—while many listed organizations continued investigating claims. Fortra maintained no public commentary on the breach scope or whether its internal systems hosting customer data were compromised, despite repeated media inquiries.