The Clop ransomware gang claims to have attacked luxury retailer Saks Fifth Avenue, as listed on their dark web leak site. The company, however, states that no real customer data has been impacted by the cyber security incident. This attack is part of Clop's ongoing targeting of vulnerable GoAnywhere MFT servers belonging to established enterprises.
Saks Fifth Avenue, founded in 1867 by Andrew Saks and headquartered in New York City, is a prominent luxury brand retailer serving the U.S., Canada, and parts of the Middle East. The threat actor has not yet disclosed any additional information, such as the data stolen from the retailer's systems or details about any ongoing ransom negotiations. The cyber security incident is linked to Clop's ongoing attacks targeting GoAnywhere servers vulnerable to a security flaw, now tracked as CVE-2023-0669.
This flaw enables attackers to gain remote code execution on unpatched GoAnywhere MFT instances with their administrative console exposed to Internet access. GoAnywhere MFT's developer Fortra (formerly HelpSystems) had previously disclosed to its customers that the vulnerability had been exploited as a zero-day in the wild and urged customers to patch their systems. The official advisory remains hidden to the public but was earlier made public by investigative reporter Brian Krebs.
In February, Clop reached out and claimed it had breached 130+ organizations and stolen their data over the course of ten days by exploiting this particular vulnerability on enterprise servers. A spokesperson for Saks Fifth Avenue confirmed the incident was linked to Fortra, stating, "Fortra, a vendor to Saks and many other companies, recently experienced a data security incident that led to mock customer data being taken from a storage location used by Saks." The spokesperson also clarified that "The mock customer data does not include real customer or payment card information and is solely used to simulate customer orders for testing purposes."
While Saks Fifth Avenue stated that no real customer data or payment information was stolen, it did not answer whether corporate or employee data was compromised in the incident. The company is taking the situation seriously, conducting an ongoing investigation alongside outside experts and law enforcement, and remains committed to ensuring the safety of the information it holds. It's important to note that Saks OFF 5TH, previously a subsidiary of Saks Inc., is now a separate company and not linked to this incident.