Cyber Incident Victim: Galderma
Date:
Jan 2023
Location:
United States of America
Summary
A ransomware group linked to Russia exploited a vulnerability in Fortra's GoAnywhere secure file transfer tool, compromising numerous organizations including Swiss pharmaceutical company Galderma. The Clop gang claimed access to data from approximately 130 entities, though Galderma declined to confirm any specific data impact when contacted. Other confirmed victims experienced theft of sensitive information such as employee details, patient health records, and mock customer data, with some organizations denying actual data exposure despite being listed by the attackers. The breach's full scope remains unclear as many affected companies either declined to comment or were still investigating potential compromises.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The mass-ransomware attack exploiting a critical vulnerability in Fortra's GoAnywhere secure file transfer tool emerged in late January or early February 2023, though the precise start date remains unconfirmed. The Russia-linked Clop ransomware gang claimed responsibility, asserting it had compromised data from 130 organizations using the software. Fortra had concealed details of the vulnerability behind a login portal until independent security reporter Brian Krebs exposed it on February 2. Fortra released patches on February 7, but by then, attackers had already exfiltrated substantial data from multiple victims. Clop gradually listed affected organizations on its dark web leak site, using stolen data to extort ransom payments. Healthcare provider Community Health Systems confirmed the theft of over 1 million patient records, while Hatch Bank, Rubrik, and Investissement Québec acknowledged employee data breaches. Hitachi Energy attributed its incident to Fortra's compromised systems. The City of Toronto initially denied data exfiltration on March 20 but revised its statement on March 23, confirming unauthorized access through its GoAnywhere instance while maintaining no resident data was stolen.
Swiss pharmaceutical company Galderma was among the organizations Clop added to its leak site in March 2023. When contacted by TechCrunch, Galderma spokesperson Christian Marcoux declined to answer questions regarding the breach or confirm data compromise. The company did not dispute its use of GoAnywhere. Similar non-committal responses came from other listed entities like ITx Companies, Brightline, Emerald Expositions, and MedMinder, all of which deferred commentary pending internal investigations. Clop released samples of stolen data from Onex Corporation, including tax forms and employee details, but did not publicly disclose Galderma-specific data. Several organizations, including AvidXchange and Saks Fifth Avenue, asserted that only non-sensitive test data or externally processed files were impacted. Fortra itself did not publicly confirm whether its internal systems hosting customer data were breached or provide a list of affected clients. The full scope of the incident remained unclear, with Clop disclosing fewer than half of the claimed 130 victims by late March.