Cyber Incident Victim: Virgin Group
Date:
Mar 2023
Location:
United Kingdom
Summary
The Virgin Group's rewards program, Virgin Red, experienced unauthorized data access via a third-party breach of Fortra's GoAnywhere file transfer solution, exploited by the Clop ransomware group leveraging a remote code execution vulnerability. Clop claimed responsibility for the incident, though the organization confirmed no customer or employee personal data was compromised in the exfiltrated files, which were intercepted during processing through the vendor's system. The attack formed part of a broader campaign targeting multiple entities using unpatched instances of the software.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In March 2023, the Clop ransomware gang exploited a critical remote code execution vulnerability (CVE-2023-0669) in Fortra's GoAnywhere MFT secure file transfer tool to breach multiple organizations, including Virgin Red, the rewards program of Virgin Group. Clop listed "Virgin" on its dark web leak site around March 20-23, 2023, alongside other victims like the City of Toronto and the UK's Pension Protection Fund. Virgin Group confirmed the incident affected only Virgin Red, clarifying that attackers accessed files through a third-party supplier's compromised GoAnywhere instance. The breach occurred as part of Clop's broader campaign targeting unpatched GoAnywhere systems with internet-exposed administrative consoles, which Fortra had warned was exploited as a zero-day since January 2023. Clop previously claimed to BleepingComputer in February 2023 that it had stolen data from over 130 organizations via this vulnerability during a ten-day exploitation window. Virgin Red's parent company stated the compromised files contained no customer or employee personal data, minimizing direct privacy risks.
Virgin Group attributed the breach to the attack on its supplier's file transfer system and engaged in investigative efforts to assess the scope. A spokesperson emphasized that the incident posed no threat to individuals due to the non-personal nature of the exposed data, though no technical containment measures or system changes were disclosed. The attack mirrored breaches at other GoAnywhere customers, including Hitachi Energy and Rubrik, where Clop exfiltrated data for extortion. Unlike the UK Pension Protection Fund—which confirmed employee data theft and offered monitoring services—Virgin Red maintained no sensitive information was compromised. The organization did not indicate whether it discontinued GoAnywhere usage post-breach, as PPF had done. Clop continued adding victims to its leak site throughout March, demonstrating persistent exploitation of the vulnerability despite Fortra's patching advisories and public disclosures about the attacks.