Cyber Incident Victim: City of Toronto
Date:
Mar 2023
Location:
Canada
Summary
The City of Toronto confirmed unauthorized data access occurred through a third-party vendor's compromised Fortra GoAnywhere MFT file transfer system, exploited by the Clop ransomware group via a remote code execution vulnerability (CVE-2023-0669). Clop claimed responsibility for the breach, part of a broader campaign affecting over 130 organizations, including UK entities Virgin Red—where stolen files allegedly contained no customer data—and the Pension Protection Fund, which confirmed current and former employee data exposure. While the city stated impacted files were limited to those unable to be processed via the vendor system and is assessing potential resident data compromise, the pension fund notified affected individuals and offered monitoring services. All breaches stemmed from unpatched instances of the vulnerable software.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around March 20, 2023, the City of Toronto detected potential unauthorized access to its data through a third-party vendor’s secure file transfer system. The Clop ransomware group claimed responsibility for the breach, listing Toronto among victims of its exploitation of CVE-2023-0669, a remote code execution vulnerability in Fortra’s GoAnywhere MFT software. This flaw enabled attackers to compromise unpatched GoAnywhere instances exposed to the internet. Toronto confirmed that unauthorized access occurred specifically through the vendor’s file transfer system, affecting files that could not be processed via that platform. The city acknowledged it was still evaluating the scope of the breach but stated no personal data compromise had yet been confirmed. Immediate actions included launching an investigation into the impacted files and committing to notify affected individuals if resident data was found to be compromised. Toronto emphasized its routine success in thwarting daily cyber attacks while underscoring its commitment to data privacy.
The incident formed part of Clop’s broader campaign targeting GoAnywhere users, which the group claimed had compromised over 130 organizations within ten days prior to February 2023. Other victims included Virgin Red, Virgin Group’s rewards platform, and the UK’s Pension Protection Fund (PPF). Virgin Red clarified that although Clop acquired files via its GoAnywhere supplier, no customer or employee personal data was exposed. The PPF confirmed that current and former employee data was stolen, prompting direct notifications to affected individuals, offers of monitoring services, and discontinuation of GoAnywhere. Fortra had previously warned customers about in-the-wild exploitation of the zero-day vulnerability and urged patching. Toronto’s breach represented a third-party supply chain compromise, with the city’s own systems remaining intact. The full impact on Toronto’s operations or resident data remained under investigation at the time of reporting.