Cyber Incident Victim: ITx Companies
Date:
Jan 2023
Location:
United States of America
Summary
A mass-ransomware attack exploiting a vulnerability in Fortra's GoAnywhere secure file transfer tool impacted numerous organizations, including ITx Companies, with the Russia-linked Clop gang claiming compromise of approximately 130 entities. The attackers exfiltrated sensitive data such as employee personal information, health records, tax forms, and mock customer datasets, leveraging stolen files to extort victims via threats of public leaks. While some affected organizations confirmed breaches involving their GoAnywhere systems—including healthcare providers, financial institutions, and municipal services—others denied data theft or remained under investigation, with Fortra providing no public clarification on the scope or its own potential compromise.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The mass-ransomware attack targeting Fortra's GoAnywhere secure file transfer tool began in late January or early February 2023, though the precise start date remains undetermined. Exploiting a critical vulnerability in the widely used data transfer platform, the Russia-linked Clop ransomware gang infiltrated systems hosted both in the cloud and on organizational networks. Fortra had concealed details of the vulnerability behind a login portal until independent security reporter Brian Krebs exposed the flaw on February 2. Five days later, on February 7, Fortra released security patches, but by then, attackers had already exfiltrated substantial data from multiple victims. Clop claimed compromise of 130 organizations through this campaign but had publicly listed fewer than half on its dark web leak site by March 2023, using the site to pressure victims by threatening data publication unless ransom demands were met.
Confirmed impacts emerged gradually across sectors. Healthcare provider Community Health Systems disclosed the theft of health data belonging to over 1 million patients from its GoAnywhere system. Digital finance firm Hatch Bank and cybersecurity company Rubrik also acknowledged breaches linked to the vulnerability. The City of Toronto initially reported "no exfiltration" on March 20 but revised its statement on March 23, confirming unauthorized access to files processed through its third-party GoAnywhere instance. Canadian financial institution Investissement Québec and industrial firm Hitachi Energy attributed employee data theft to the compromise of Fortra-hosted GoAnywhere systems. Multiple organizations, including payment processor AvidXchange and retailer Saks Fifth Avenue, confirmed using GoAnywhere but disputed data sensitivity—AvidXchange asserted no stored data on Fortra’s platform, while Saks stated only mock customer test data was taken. ITx Companies, a healthcare call center provider, was listed on Clop’s leak site, with CEO Philip Gower declining to comment when contacted by TechCrunch, alongside other non-responsive entities like pharmaceutical firm Galderma and child mental health startup Brightline. Fortra did not publicly confirm which customers were affected or whether its internal systems hosting client data were breached, and company spokespersons declined to answer media inquiries. The incident’s full scope remained unclear due to delayed disclosures and inconsistent victim confirmations, though stolen data samples included W-9 tax forms, payment records, and employee personally identifiable information from entities like investment firm Onex.