Cyber Incident Victim: Rio Tinto
Date:
Mar 2023
Location:
Australia
Summary
A cybercriminal group possibly stole personal payroll information, including payslips and overpayment letters, from current and former Australian employees of Rio Tinto through a breach in Fortra’s GoAnywhere managed file transfer software. The attackers threatened to release the data on the dark web, though no records had been disclosed at the time of reporting; the incident reflects a broader pattern of exploitation targeting vulnerabilities in Fortra’s platform affecting multiple organizations, with investigations ongoing to determine the extent of data compromise.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 23, 2023, Rio Tinto notified current and former Australian employees that their personal data may have been compromised by a cybercriminal group. The breach potentially involved payroll information from January 2023, including payslips and overpayment letters for a small number of staff. The company became aware of the incident through investigations into unauthorized access targeting GoAnywhere, a managed file transfer (MFT) software provided by cybersecurity firm Fortra. Rio Tinto’s internal memo stated the threat actors had threatened to release stolen data on the dark web, though no records had been publicly disclosed at the time of the announcement. The company acknowledged uncertainty regarding whether the cybercriminal group actually possessed the affected records, emphasizing ongoing assessments. No details were provided about how or when Rio Tinto detected the potential breach, but the disclosure coincided with multiple global incidents involving the same Fortra software.
The incident emerged amid a wider pattern of cyberattacks exploiting vulnerabilities in Fortra's GoAnywhere MFT platform, with ransom group CL0P implicated in related breaches at other organizations. Hitachi Energy disclosed unauthorized access to employee data through a CL0P ransomware attack on GoAnywhere in the preceding week, while Community Health Systems reported potential exposure of personal and medical information for one million individuals via the same software vulnerability in February 2023. The breach marked another instance of threat actors targeting file-transfer systems, following CL0P’s 2021 exploitation of Accellion servers that compromised Morgan Stanley, Kroger, and the Reserve Bank of New Zealand. Rio Tinto did not confirm the attackers’ identity or specify whether ransomware demands were made. London-listed shares of Rio Tinto declined 1.6% following the disclosure, though operational disruptions were not reported. The company continued investigating the scope of data exposure while monitoring for potential releases of information by the cybercriminals.