Fortra told hacked companies their data was safe

Software maker Fortra told its enterprise customers that their data was safe — even when it wasn’t — following a ransomware attack on its systems, TechCrunch has learned.

As we reported, the Clop ransomware gang exploited a recently discovered bug in Fortra’s GoAnywhere file transfer software, used by thousands of organizations to transfer sensitive data over the Internet. The bug allowed the ransomware gang to hack and carry out a massive ransomware attack on January 31. The Russian-linked Clop gang claimed it had compromised around 130 organizations that were using the vulnerable GoAnywhere tool at the time of the ransomware attack.

Today, new victims are emerging.

Consumer goods giant Procter & Gamble confirmed to TechCrunch that it was “one of many companies impacted by Fortra’s GoAnywhere incident” and that hackers obtained information about its employees as a result. Health and wellness program provider US Wellness also disclosed this week that consumers’ personal and protected health data may have been compromised due to a third-party breach. TechCrunch has learned that US Wellness was a GoAnywhere customer at the time of the ransomware attack.

As the number of casualties grows, more and more details also begin to emerge as to how Fortra handled the incident.

TechCrunch has heard of two victim organizations who only learned that data had been exfiltrated from their GoAnywhere systems after they each received a ransom demand. Both organizations had previously been informed by Fortra that their data was not affected by the ransomware attack.

One of the organizations told TechCrunch that it realized the situation had changed when contacted by the alleged hackers, but said the organization did not enter into any negotiations or pay a ransom demand.

Asked about this by email, Fortra spokeswoman Rachel Woodford declined to comment but did not dispute what the two organizations had told us or that Fortra had told customers their data was safe. Fortra did not make CISO Chris Reffkin available for an interview.

The full impact of mass hacking resulting from the GoAnywhere vulnerability remains unknown. Fortra would not say, despite repeated requests from TechCrunch, whether the company’s internal GoAnywhere systems storing customer data were compromised during the ransomware attack.

The Clop ransomware gang has added dozens of new victims to its dark web leak site in the past few days – including payment software startup AvidXchange, investment giant Onex, consumer protection fund UK Pensions and the City of Toronto, – all of whom have been identified. by TechCrunch as organizations that were using the vulnerable GoAnywhere file transfer software at the time of the breach, along with dozens of other organizations.

It follows other additions to its leak pages, including Colombian energy giant Grupo Vanti, Australian gambling giant Crown Resorts and Medex Healthcare.

Fortra has yet to publicly confirm its January violation beyond an inaccessible notice on its website. Fortra’s most recent press release, on March 16, announced that the company had been recognized as “Best Cybersecurity Company” by the Cybersecurity Excellence Awards, an industry award paid for by submitting companies and sponsored by Fortra.