Cyber Incident Victim: Saks Fifth Avenue
Date:
Mar 2023
Location:
United States of America
Summary
A luxury retailer experienced a cybersecurity incident involving unauthorized access to its systems via exploitation of a vulnerability in a third-party file transfer solution, attributed to the Clop ransomware group. The compromised data included mock customer information utilized for testing purposes, with the retailer confirming that no real customer details or payment card data were affected. While the organization collaborated with external experts and law enforcement in an ongoing investigation, it did not explicitly address whether corporate or employee information was accessed. This incident aligns with wider attacks targeting the same vulnerability in the file transfer platform, impacting numerous enterprises. Historical security lapses involving customer data exposure at the retailer were noted in unrelated past events.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Clop ransomware gang publicly claimed an attack against luxury retailer Saks Fifth Avenue on March 21, 2023, listing the company on its dark web leak site. This incident was part of Clop's broader exploitation campaign targeting unpatched GoAnywhere MFT servers vulnerable to CVE-2023-0669, a critical remote code execution flaw in Fortra's managed file transfer software. The threat actors exploited this zero-day vulnerability in systems with administrative consoles exposed to the internet, a method they reportedly used to breach over 130 organizations within ten days in February 2023. Although Clop did not initially disclose specifics about stolen data or ransom negotiations, Saks confirmed through a spokesperson that "mock customer data" from a Fortra-managed storage location had been exfiltrated. This simulated data, used solely for testing order processing systems, contained no authentic customer information or payment card details, according to the retailer. The company did not confirm whether corporate data or employee information was compromised during the breach.
Saks attributed the incident to a cybersecurity failure at Fortra, its third-party file transfer vendor, while emphasizing that Saks OFF 5TH operated as a separate entity unaffected by the attack. The retailer launched an investigation with external cybersecurity experts and law enforcement agencies but provided no technical details regarding detection timelines, containment measures, or system restoration processes. Fortra had previously alerted customers about active exploitation of the GoAnywhere vulnerability but maintained non-public advisories until investigative journalists revealed the warnings. Historical context shows Saks Fifth Avenue experienced prior security incidents, including a 2018 Fin7 syndicate breach compromising 5 million payment cards and a 2017 exposure of customer data on unsecured web pages, though these were unrelated to the 2023 Clop incident. The company reiterated its commitment to information security without disclosing specific remediation steps taken following this breach.