Cyber Incident Victim: Saks Fifth Avenue
Date:
Feb 2023
Location:
United States of America
Summary
The Clop ransomware gang exploited a vulnerability in Fortra's GoAnywhere MFT servers to breach Saks Fifth Avenue, listing the retailer as a victim on their leak site. While the company confirmed mock customer data used for testing was compromised, it asserted no real customer or payment information was affected but did not address potential theft of corporate or employee data. This incident was part of Clop's broader campaign targeting unpatched file transfer systems, which impacted numerous organizations through remote code execution vulnerabilities. The retailer is investigating alongside external experts and law enforcement, emphasizing ongoing commitment to information security amid rising cyber threats.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early February 2023, the Clop ransomware gang exploited a critical vulnerability (CVE-2023-0669) in Fortra's GoAnywhere Managed File Transfer (MFT) software to breach systems belonging to Saks Fifth Avenue. This vulnerability allowed remote code execution on internet-exposed GoAnywhere MFT administrative consoles that had not been patched against the zero-day exploit. Clop listed Saks Fifth Avenue on its dark web leak site on March 20, 2023, as part of a broader campaign targeting over 130 organizations through this vulnerability during a ten-day exploitation period. The attack vector mirrored previous Clop operations against other enterprises using unpatched GoAnywhere instances, including a contemporaneous breach of Hitachi Energy disclosed earlier in March. Fortra had privately notified customers about active exploitation of this vulnerability in February following initial zero-day attacks, though the advisory remained non-public until investigative reporter Brian Krebs disseminated details.
Saks confirmed the incident stemmed from compromised systems at Fortra, their third-party vendor, stating attackers accessed mock customer data used exclusively for simulating order transactions in testing environments. The retailer emphasized this dataset contained no genuine customer information, payment card details, or operational transaction records. Saks did not address whether corporate intellectual property, employee records, or other sensitive internal data was exfiltrated during the breach. The company initiated an investigation involving external cybersecurity experts and law enforcement agencies, reiterating its commitment to information security while acknowledging the persistent threat landscape facing retail organizations. This incident occurred independently from Saks OFF 5TH operations due to corporate separation prior to the attack. Historical context includes unrelated 2017-2018 security lapses where Saks exposed customer data through publicly accessible web pages and suffered payment card theft via the Fin7 cybercrime group, though no technical or tactical connections exist between those prior events and the 2023 Clop ransomware intrusion.