US-based cloud data management and data security company Rubrik has confirmed that its data was stolen using a zero-day vulnerability in the Fortra GoAnywhere secure file transfer protocol.
GoAnywhere MFT is a popular file-sharing service developed by Fortra and used by large businesses to share sensitive files securely.
Tracked as CVE-2023-0669, the vulnerability resides in the administrative web interface and could be exploited by a remote attacker to achieve remote code execution via a malicious request. Fortra released an emergency patch to address the flaw back in February 2023, warning that the bug was being actively exploited by threat actors.
Rubrik said in a statement that the company was one of the victims of a large-scale campaign against GoAnywhere MFT devices across the globe using CVE-2023-0669.
“We detected unauthorized access to a limited amount of information in one of our non-production IT testing environments as a result of the GoAnywhere vulnerability. Importantly, based on our current investigation, being conducted with the assistance of third-party forensics experts, the unauthorized access did NOT include any data we secure on behalf of our customers via any Rubrik products,” Rubrik CISO Michael Mestrovichon said.
The affected data includes Rubrik internal sales information such as certain customer and partner company names, business contact information, and a limited number of purchase orders from Rubrik distributors. Sensitive personal data such as social security numbers, financial account numbers, or payment card numbers is said to have not been impacted in the breach.
The data breach disclosure comes after the Clop ransomware gang added Rubrik to its list of victims, sharing samples of stolen files that contain what appears to be internal Rubrik data, such as names, email addresses, and locations of employees. On its data leak site the gang stated that the data would soon be publicly released.
Earlier this month, fintech banking platform Hatch Bank disclosed a data breach after hackers stole the personal information of almost 140,000 customers using the GoAnywhere bug.