Cyber Incident Victim: Rio Tinto
Date:
Jan 2023
Location:
Australia
Summary
A cybersecurity incident involving Rio Tinto's data transfer vendor GoAnywhere, operated by Fortra, led to potential unauthorized access to personal employee information. Suspicious activity within the vendor's managed file transfer service prompted temporary service suspension to halt further breaches, with Fortra coordinating notifications to affected customers and relevant authorities. The compromised data included payroll details such as payslips and overpayment letters for a limited number of the mining company's Australian staff, allegedly seized by a cybercriminal group. This incident was part of a broader pattern of breaches linked to the vendor's platform affecting multiple global entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 30, 2023, U.S. cybersecurity firm Fortra detected suspicious activity within certain instances of its GoAnywhere Managed File Transfer as a Service (MFTaaS) solution, a platform used by clients including mining company Rio Tinto for secure data transfers. Fortra responded by initiating a temporary outage of the affected service to prevent further unauthorized access, alongside implementing unspecified additional containment measures. The incident remained under investigation until March 2023, when Rio Tinto disclosed potential data theft in an internal staff memo reviewed by Reuters. The memo indicated that personal data belonging to a small number of Rio Tinto’s Australian employees—specifically payroll documents such as payslips and overpayment letters generated in January 2023—might have been exfiltrated by a cybercriminal group exploiting the GoAnywhere vulnerability. Rio Tinto did not publicly confirm the exact number of affected employees or whether operational systems beyond the compromised file-transfer service were impacted.
Fortra, while declining to confirm Rio Tinto as a specific victim, acknowledged notifying all potentially affected customers and coordinating incident response efforts with the U.S. Cybersecurity and Infrastructure Security Agency (CISA). The breach formed part of a broader pattern, as multiple global organizations and government entities using GoAnywhere reported similar security incidents in early 2023. Rio Tinto’s disclosure highlighted the theft’s narrow scope—limited to Australian payroll records from a single month—but did not specify whether employee banking details, national identifiers, or other sensitive data were compromised. No ransomware deployment or disruptive attacks on Rio Tinto’s industrial control systems were reported in connection with the breach. The company’s internal communication served as its primary acknowledgment of the incident, with no subsequent public statements detailing forensic findings, regulatory notifications, or remedial actions for affected personnel.