Cyber Incident Victim: City of Toronto
Date:
Feb 2023
Location:
Canada
Summary
The City of Toronto experienced unauthorized data access through a third-party vendor's compromised GoAnywhere file transfer system, exploited by the Clop ransomware group. This incident was part of a broader campaign affecting over 130 organizations via a zero-day vulnerability (CVE-2023-0669), leading to data theft. While the municipality was investigating the extent of impacted files, other victims included Virgin Red, where stolen files contained no personal data, and the UK Pension Protection Fund, which confirmed employee information was compromised and offered support to affected individuals. The city emphasized ongoing efforts to protect resident information and daily defense against cyber threats.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Clop ransomware gang exploited a remote code execution vulnerability (CVE-2023-0669) in Fortra’s GoAnywhere MFT secure file transfer tool to breach the City of Toronto’s data through a third-party vendor. The attack occurred as part of a broader campaign targeting unpatched GoAnywhere instances with internet-exposed administrative consoles, which Clop claimed enabled them to compromise over 130 organizations within ten days in February 2023. On March 20, 2023, the City of Toronto detected potential unauthorized access to its systems and subsequently confirmed data theft linked to files that failed to process through the vendor’s secure transfer system. Clop publicly listed Toronto as a victim on its dark web leak site, alongside other organizations including UK-based Virgin Red and the Pension Protection Fund (PPF). The City initiated an investigation to determine the scope of compromised data, emphasizing its commitment to notifying affected residents if personal information was exposed. Fortra had previously alerted customers about active exploitation of the zero-day vulnerability, urging immediate patching.
The breach impacted Toronto’s third-party file transfer operations but did not directly compromise the City’s internal systems. Investigations remained ongoing to identify the specific files and individuals affected. Meanwhile, Virgin Red confirmed Clop accessed non-sensitive files via its GoAnywhere vendor, stressing no customer or employee data was exposed. The UK’s PPF disclosed a more severe impact, with attackers exfiltrating current and former employee data, prompting direct notifications and offers of monitoring services to affected personnel. PPF ceased using GoAnywhere, collaborated with Fortra and law enforcement, and assured members their data remained secure. Toronto reiterated its daily success in thwarting cyberattacks but acknowledged the evolving nature of this incident. Clop’s campaign continued to expand, with additional victims like Hitachi Energy, Saks Fifth Avenue, and Rubrik confirming breaches tied to the same vulnerability. Organizations globally were advised to patch vulnerable GoAnywhere instances to prevent further exploitation.