Cyber Incident Victim: Guinness Partnership
Date:
Jan 2023
Location:
United Kingdom
Summary
A ransomware attack exploiting a vulnerability in Fortra's GoAnywhere file transfer tool impacted multiple organizations, including the Guinness Partnership, through a mass-hack attributed to the Russia-linked Clop gang. The attackers compromised approximately 130 entities, stealing sensitive data such as employee information, healthcare records, and financial documents, though specific impacts on individual victims varied. While some organizations confirmed data breaches affecting millions of patients or mock customer datasets, others denied exfiltration or remained under investigation. The Guinness Partnership, identified as a GoAnywhere user, did not respond to requests for comment regarding potential compromise. Fortra, the software developer, did not publicly disclose affected customers or confirm whether its own systems hosted victim data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The mass-ransomware attack exploiting a vulnerability in Fortra’s GoAnywhere secure file transfer tool emerged in late January or early February 2023, though the precise start date remains unclear. The Russia-linked Clop ransomware gang claimed responsibility, asserting it had compromised data from 130 organizations using the software. Fortra, the developer of GoAnywhere, had initially concealed details of the critical vulnerability (CVE-2023-0669) behind a customer login portal until independent security reporter Brian Krebs exposed it publicly on February 2. Fortra released patches on February 7, but by then, attackers had already exfiltrated data from multiple victims. Clop’s operational pattern involved stealing sensitive files and threatening victims via a dark web leak site to publish data unless ransoms were paid. The attack vector targeted both cloud-hosted and on-premises instances of GoAnywhere, a platform designed for transferring large datasets securely.
Confirmed impacts began surfacing in March 2023. Community Health Systems, a major U.S. healthcare provider, disclosed the theft of health data belonging to over 1 million patients from its GoAnywhere system. Hatch Bank, Rubrik, Investissement Québec, and Hitachi Energy subsequently acknowledged breaches involving employee or customer data stolen via the same vulnerability. Clop gradually added victim names to its leak site, though many organizations denied data theft or provided limited details. The City of Toronto confirmed unauthorized access through its third-party GoAnywhere instance but initially claimed no data exfiltration before revising its statement to acknowledge compromised files. Saks Fifth Avenue stated attackers stole mock customer data used for testing, emphasizing no real customer or payment information was affected. AvidXchange asserted it stored no sensitive data on Fortra’s platform, though Clop listed it as a pending leak. England-based affordable housing provider Guinness Partnership was identified as a GoAnywhere user but did not respond to repeated requests for comment, leaving its breach status unconfirmed. Fortra itself declined to comment on whether its internal systems hosting customer data were compromised or if it had notified all affected clients. By March 23, Clop had publicly listed fewer than half of the 130 claimed victims, and the full scope of stolen data—including tax forms, payment records, and employee details—remained unclear due to inconsistent victim disclosures and ongoing investigations.