Cyber Incident Victim: Pension Protection Fund
Date:
Mar 2023
Location:
United Kingdom
Summary
The UK's Pension Protection Fund suffered a data breach involving unauthorized access to current and former employee information via a third-party vendor's vulnerability in the GoAnywhere MFT secure file transfer tool, exploited by the Clop ransomware gang leveraging a remote code execution flaw. While no member or levy payer data was compromised, the organization informed affected individuals, provided support services, discontinued use of the vulnerable software, and collaborated with the vendor, security partners, and law enforcement during investigations, confirming that internal systems remained uncompromised.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Clop ransomware gang breached the UK's Pension Protection Fund (PPF) in March 2023 by exploiting a critical zero-day vulnerability (CVE-2023-0669) in Fortra's GoAnywhere MFT secure file transfer tool. This incident occurred as part of Clop's coordinated campaign targeting numerous organizations using internet-exposed GoAnywhere instances, which Fortra had disclosed was actively exploited since late January 2023. The attackers gained unauthorized access through PPF's third-party vendor infrastructure, specifically via the compromised file transfer system, rather than directly penetrating PPF's internal networks. Following the intrusion, Clop listed PPF—a statutory corporation managing pension protections for UK citizens under parliamentary oversight—on its dark web leak site alongside other victims including the City of Toronto and Virgin Red. The PPF confirmed the breach impacted current and former employee data but stated no pension member information or levy payer details were compromised, maintaining that attackers accessed files through a GoAnywhere server managed by an external vendor rather than PPF's own systems.
The PPF promptly suspended use of GoAnywhere upon detecting the breach and initiated investigations with Fortra, cybersecurity partners, and UK law enforcement agencies. By March 23, the organization had notified all affected employees about the exposure of their personal data, offering them support services including additional monitoring measures. Internal communications emphasized that PPF's core systems remained uncompromised and continued operating under established high-security standards, with leadership reiterating commitments to member data protection throughout public statements. While complete forensic analysis remained ongoing, PPF publicly affirmed the breach scope was limited to employee data accessible via the vendor-managed file transfer system, distinguishing this from any compromise of member pension records or financial systems. The incident underscored risks associated with third-party vendor vulnerabilities, though PPF maintained no operational disruptions occurred to pension protection services during or after the attack.