Cyber Incident Victim: Virgin Red
Date:
Mar 2023
Location:
United Kingdom
Summary
Virgin Red experienced a data breach through its third-party secure file transfer vendor, GoAnywhere, exploited by the Clop ransomware group via a critical remote code execution vulnerability. The attackers exfiltrated files, but the organization confirmed no customer or employee personal data was compromised as the accessed information did not pose risks to individuals. This incident occurred as part of a broader campaign targeting multiple organizations using unpatched instances of the file transfer solution, with Clop claiming extensive unauthorized data access from numerous victims through the same exploit. Virgin Red's breach stemmed from compromised supplier systems rather than direct infiltration of its own infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 20, 2023, the City of Toronto detected potential unauthorized access to its data through a third-party vendor’s compromised file transfer system, later identified as Fortra’s GoAnywhere MFT platform. The Clop ransomware gang claimed responsibility for the intrusion, adding Toronto to its list of victims alongside UK-based Virgin Red and the Pension Protection Fund (PPF). The breach stemmed from exploitation of CVE-2023-0669, a remote code execution flaw in GoAnywhere MFT instances with administrative consoles exposed to the internet. Fortra had previously notified customers of active zero-day exploitation targeting this vulnerability in January and February 2023. Clop publicly asserted it had stolen data from over 130 organizations within ten days by targeting unpatched GoAnywhere servers, with new victims continuing to emerge. Virgin Red confirmed it was contacted by Clop regarding files exfiltrated via the GoAnywhere compromise, though the breach was limited to its supplier’s system. The City of Toronto reported that the accessed data consisted solely of files unable to be processed through the vendor’s transfer system and initiated investigations to assess potential resident data exposure.
Virgin Red clarified that Clop’s attack exclusively affected its operations, with no compromise of customer or employee personal data. Files exfiltrated from Virgin Red’s supplier contained no sensitive information posing risks to individuals. In contrast, the Pension Protection Fund confirmed unauthorized access to current and former employee data through the same GoAnywhere vulnerability, prompting direct notification to affected individuals and offers of monitoring services. PPF ceased using GoAnywhere following the incident and engaged Fortra, security partners, and law enforcement in its investigation, confirming no member or levy-payer data was involved. The City of Toronto emphasized its commitment to resident privacy protections while evaluating breach impacts, pledging to notify individuals if compromised data was identified. Other organizations impacted during this campaign included Hitachi Energy, Saks Fifth Avenue, and cybersecurity firm Rubrik. Fortra’s continuing advisory urged all GoAnywhere users to apply patches to mitigate further exploitation risks.