Cyber Incident Victim: Hatch Bank
Date:
Jan 2023
Location:
United States of America
Summary
Hatch Bank experienced a data breach after attackers exploited a zero-day vulnerability in Fortra's GoAnywhere MFT secure file-sharing platform, compromising names and Social Security numbers of approximately 140,000 customers. The Clop ransomware gang claimed responsibility for the attack, leveraging the remote code execution flaw to steal data, mirroring their prior exploitation of a similar Accellion FTA vulnerability. Following notification by Fortra, the bank initiated a review confirming the theft of sensitive information and offered affected individuals complimentary credit monitoring services. This incident represents one of multiple breaches linked to the GoAnywhere MFT exploitation campaign.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 29, 2023, Fortra detected a cyber incident involving a vulnerability in its GoAnywhere MFT secure file-sharing platform. Hatch Bank, a financial technology firm enabling small businesses to access banking services, utilized this platform for secure file transfers. Fortra notified Hatch Bank on February 3, 2023, that unauthorized actors had accessed files stored on Fortra’s GoAnywhere site. The attackers exploited CVE-2023-0669, a remote code execution vulnerability in GoAnywhere MFT, which Fortra disclosed to customers in early February after confirming active exploitation. A public exploit for the flaw emerged on February 6, followed by an emergency patch released by Fortra on February 7. Hatch Bank’s subsequent review confirmed the theft of personal data belonging to 139,493 customers, including names and Social Security numbers. The bank issued breach notifications to affected individuals and state Attorney General offices, offering twelve months of complimentary credit monitoring services.
The Clop ransomware gang claimed responsibility for the GoAnywhere MFT attacks, asserting they exploited the zero-day vulnerability over a ten-day period to steal data from more than 130 organizations. While Hatch Bank did not attribute the breach to a specific threat actor, cybersecurity researcher Joe Slowik of Huntress identified tactical links between the incident and TA505, the group historically associated with Clop ransomware operations. Clop previously employed similar methods in December 2020 by exploiting an Accellion FTA zero-day to exfiltrate data from entities including Morgan Stanley, Shell, and multiple universities. During the Accellion campaign, Clop demanded $10 million ransoms to suppress data leaks, though no specific ransom demands related to the GoAnywhere MFT breaches were confirmed at the time of Hatch Bank’s disclosure. The breach exposed sensitive customer information, prompting Hatch Bank to implement credit monitoring while Fortra addressed the software vulnerability.