Cyber Incident Victim: Fortra
Date:
Jan 2023
Location:
United States of America
Summary
A ransomware attack exploiting a zero-day vulnerability in Fortra's GoAnywhere file-transfer software resulted in widespread data theft affecting multiple organizations, including healthcare benefits provider NationsBenefits, which confirmed over 7,100 individuals in New Hampshire had personal information stolen. The Clop ransomware gang claimed responsibility for the mass breach, targeting both Fortra-hosted instances and customer-managed servers, with additional victims including healthcare giant Community Health Systems, consumer goods firm Procter & Gamble, and public entities like the City of Toronto. Fortra faced criticism for initially concealing breach details behind a customer login portal and delaying vulnerability disclosure, leading to delayed victim notifications despite prior assurances of data safety.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Fortra breach began in late January 2023 when attackers exploited a previously unknown vulnerability in Fortra's GoAnywhere file-transfer software, a tool used by organizations to share large datasets. The Clop ransomware gang claimed responsibility for the mass-hack, alleging theft of data from over a hundred organizations. Fortra’s hosted GoAnywhere instances were compromised, enabling unauthorized access to customer data. NationsBenefits, a Florida-based healthcare technology company, confirmed that hackers stole personal information of over 7,100 New Hampshire residents stored in its Fortra-hosted GoAnywhere instance. The company provides supplemental benefits to over 20 million U.S. health insurance members but declined to disclose the total number affected beyond New Hampshire or specify the exact data types stolen. Community Health Systems was among the earliest confirmed victims, with Clop claiming theft of data on at least 1 million patients. Additional affected entities included Procter & Gamble, US Wellness, Onex, the U.K. Pension Protection Fund, Brightline, and the City of Toronto. Fortra patched the vulnerability one week after the attack but faced criticism for initially concealing breach details behind a customer login wall. Security reporter Brian Krebs brought public attention to the incident by publishing Fortra’s hidden disclosure.
Fortra’s delayed transparency extended to its communications with customers. NationsBenefits stated it learned of the vulnerability’s existence only after directly contacting Fortra, despite the company having prior knowledge of the exploit. Fortra later acknowledged in a blog post that on-premise customer servers were compromised nearly two weeks before its hosted systems were breached. The company declined to disclose the total number of affected customers or provide additional details beyond its public statement. NationsBenefits filed breach notifications in New Hampshire and California but cited legal exemptions preventing full disclosure of impacted resident counts in California. The incident exposed systemic issues in Fortra’s incident response, including providing false assurances to some customers about data safety before ransom demands confirmed theft. Healthcare organizations were disproportionately impacted, with stolen data including sensitive member information. Clop’s broad targeting of Fortra customers highlighted risks in centralized file-transfer solutions, though the full scope of data exfiltrated across all organizations remains unquantified in public disclosures.