Consumer goods giant Procter & Gamble has confirmed a data breach affecting an undisclosed number of employees after its GoAnywhere MFT secure file-sharing platform was compromised in early February. The breach is part of an ongoing series of extortion demands linked to the Clop ransomware gang's attacks targeting Fortra GoAnywhere secure storage servers worldwide. Procter & Gamble stated that the attackers did not gain access to employees' financial or social security information, but did manage to steal some of their data. The company said, "P&G can confirm that it was one of the many companies affected by Fortra's GoAnywhere incident. As part of this incident, an unauthorized third party obtained some information about P&G employees."
The stolen data did not include information such as Social Security numbers or national identification numbers, credit card details, or bank account information. P&G also confirmed that there is no evidence that this data breach impacted customer data and that they stopped using Fortra's GoAnywhere secure file-sharing services after discovering the incident. The company added, "When we learned of this incident in early February, we promptly investigated the nature and scope of the issue, disabled [the] use of the vendor's services, and notified employees. At this time, there is no indication that customer data was affected by this issue. Our business operations are continuing as normal."
The Clop ransomware gang previously claimed to have exploited the CVE-2023-0669 GoAnywhere vulnerability as a zero-day to breach and steal data from the secure storage servers of more than 130 organizations. They allegedly stole the data over ten days after breaching Internet-exposed servers vulnerable to exploits targeting this bug. The threat actors also claimed they only stole the documents stored on the victims' compromised file-sharing platforms, although they could've also easily moved laterally through their networks to deploy ransomware payloads.
Clop began publicly extorting the GoAnywhere attacks' victims on March 10 when it added seven companies to its data leak site. The list of victims who came forward to acknowledge GoAnywhere breaches and that Clop is extorting them also includes healthcare giant Community Health Systems (CHS), fintech platform Hatch Bank, cybersecurity firm Rubrik, Hitachi Energy, luxury brand retailer Saks Fifth Avenue, and the City of Toronto, Canada.
In ransom notes sent to the victims, the ransomware gang introduces themselves as the "Clop hacker group," warning victims that they'd stolen sensitive documents, which would be published online on Clop's leak site and sold on the black market if the victims were unwilling to negotiate. The ransom notes read, "We want to inform you that we have stolen important information from your GoAnywhere MFT resource and have attached a full list of files as evidence. We deliberately did not disclose your organization and wanted to negotiate with you and your leadership first. If you ignore us, we will sell your information on the black market and publish it on our blog, which receives 30-50 thousand unique visitors per day."
The ransomware gang's alleged use of a GoAnywhere MFT zero-day to steal sensitive files from victims' secure sharing servers is very similar to using an Accellion FTA zero-day vulnerability to steal the data of roughly 100 companies in December 2020. In the Accellion attacks, Clop stole massive amounts of data and demanded $10 million ransoms from high-profile companies such as energy giant Shell, cybersecurity firm Qualys, supermarket giant Kroger, and universities worldwide (e.g., Stanford Medicine, University of Colorado, and the University of California). The Clop gang has also been linked to ransomware attacks since at least 2019, encrypting and stealing files from the servers of a long string of victims, including Software AG IT, Maastricht University, ExecuPharm, and Indiabulls.