Fintech banking platform Hatch Bank has reported a data breach after hackers stole the personal information of almost 140,000 customers from the company’s Fortra GoAnywhere MFT secure file-sharing platform.
Hatch Bank is a financial technology firm allowing small businesses to access bank services from other financial institutions.
As reported by TechCrunch, data breach notifications sent to impacted customers and filed with Attorney General’s offices warned that hackers exploited a vulnerability in the GoAnywhere MFT software to steal the data of 139,493 customers.
“On January 29, 2023, Fortra experienced a cyber incident when they learned of a vulnerability located in their software,” warned the Hatch Bank data breach notification.
“On February 3, 2023, Hatch Bank was notified by Fortra of the incident and learned that its files contained on Fortra’s GoAnywhere site were subject to unauthorized access.”
Hatch says they conducted a review of the data that was stolen and determined that that customers’ names and social security numbers were stolen by the attackers.
The bank added that it is providing free access to credit monitoring services for twelve months to affected individuals.
This is the second confirmed data breach caused by the GoAnywhere MFT attacks, with the first one disclosed by Community Health Systems (CHS) last month.
Clop ransomware gang behind GoAnywhere breaches
While Hatch Bank did not disclose what threat actor conducted the attack, the Clop ransomware gang told BleepingComputer that they were behind these attacks and had stolen data from over 130 organizations.
The ransomware gang says they utilized the zero-day vulnerability in Fortra’s GoAnywhere MFT secure file-sharing platform to steal data over ten days.
The vulnerability is now tracked as CVE-2023-0669 and is a remote code execution vulnerability allowing remote threat actors to access servers. GoAnywhere disclosed its vulnerability to customers in early February after learning it was being actively exploited in attacks.
An exploit was publicly released for the vulnerability a day before the platform received an emergency patch on February 7th.
BleepingComputer could not independently confirm Clop’s claims that they were behind the attacks, and Fortra never replied to our emails.
However, Huntress Threat Intelligence Manager Joe Slowik also found links between the GoAnywhere MFT and TA505, the hacking group known for deploying Clop ransomware.
Clop is known for using a similar tactic in December 2020, when they exploited a zero-day vulnerability in Accellion’s File Transfer Appliance (FTA) system to steal data from companies worldwide.
Like GoAnywhere MFT, Accellion FTA allows organizations to share files with their customers securely.
As part of these attacks, the Clop ransomware gang attempted to extort victims by demanding a $10 million ransom to prevent the stolen data from being published.
The Accellion FTA attacks caused widespread damage, with numerous organizations disclosing related breaches, including Morgan Stanley, Qualys, energy giant Shell, supermarket giant Kroger. Multiple universities worldwide were also affected, including Stanford Medicine, University of Colorado, University of Miami, and the University of California.
While it is unknown if Clop is demanding similar ransoms to victims of the GoAnywhere MFT attacks, if the gang follows similar tactics, we will begin to see stolen data appear on their data leak site in the future.