Shopper items large Procter & Gamble has confirmed an information breach affecting an undisclosed variety of workers after its GoAnywhere MFT safe file-sharing platform was compromised in early February.

Whereas the corporate did not say who was behind the safety breach, that is a part of an ongoing spree of extortion calls for linked to the Clop ransomware gang’s assaults focusing on Fortra GoAnywhere safe storage servers worldwide.

Based on Procter & Gamble, the attackers did not acquire entry to workers’ monetary or social safety info, though they did handle to steal a few of their knowledge.

“P&G can verify that it was one of many many firms affected by Fortra’s GoAnywhere incident. As a part of this incident, an unauthorized third social gathering obtained some details about P&G workers,” Procter & Gamble informed BleepingComputer.

“The information that was obtained by the unauthorized social gathering didn’t embrace info resembling Social Safety numbers or nationwide identification numbers, bank card particulars, or checking account info.”

P&G says it has no proof that this knowledge breach impacted buyer knowledge and that it stopped utilizing Fortra’s GoAnywhere safe file-sharing providers after discovering the incident.

“After we realized of this incident in early February, we promptly investigated the character and scope of the problem, disabled [the] use of the seller’s providers, and notified workers,” the corporate added.

“Presently, there isn’t any indication that buyer knowledge was affected by this difficulty. Our enterprise operations are persevering with as regular.”

Clop claims it stole recordsdata from over 130 organizations

The Clop ransomware gang beforehand informed Bleeping Laptop that it exploited the CVE-2023-0669 GoAnywhere vulnerability as a zero-day to breach and steal knowledge from the safe storage servers of greater than 130 organizations.

They allegedly stole the information over ten days after breaching Web-exposed servers susceptible to exploits focusing on this bug.

The menace actors additionally claimed they solely stole the paperwork saved on the victims’ compromised file-sharing platforms, though they may’ve additionally simply moved laterally by way of their networks to deploy ransomware payloads.

Clop started publicly extorting the GoAnywhere assaults’ victims on March 10 when it added seven firms to its knowledge leak website.

To date, the checklist of victims who got here ahead to acknowledge GoAnywhere breaches and that Clop is extorting them additionally contains healthcare large Group Well being Methods (CHS), fintech platform Hatch Financial institution, cybersecurity agency Rubrik, Hitachi Vitality, luxurious model retailer Saks Fifth Avenue, and the Metropolis of Toronto, Canada.

In ransom notes despatched to the victims and seen by BleepingComputer, the ransomware gang introduces themselves because the “Clop hacker group,” warning victims that they’d stolen delicate paperwork, which might be printed on-line on Clop’s leak website and offered on the black market if the victims had been unwilling to barter.

“We wish to inform you that we have now stolen essential info out of your GoAnywhere MFT useful resource and have hooked up a full checklist of recordsdata as proof,” the ransom notes learn.

“We intentionally didn’t disclose your group and wished to barter with you and your management first. If you happen to ignore us, we are going to promote your info on the black market and publish it on our weblog, which receives 30-50 thousand distinctive guests per day.”

Additionally behind the 2020 Accellion breaches

The ransomware gang’s alleged use of a GoAnywhere MFT zero-day to steal delicate recordsdata from victims’ safe sharing servers is similar to utilizing an Accellion FTA zero-day vulnerability to steal the information of roughly 100 firms in December 2020.

Within the Accellion assaults, Clop stole huge quantities of knowledge and demanded $10 million ransoms from high-profile firms resembling power large Shell, cybersecurity agency Qualys, grocery store large Kroger, and universities worldwide (e.g., Stanford Drugs, College of Colorado, and the College of California).

The Clop gang has additionally been linked to ransomware assaults since at the very least 2019, encrypting and stealing recordsdata from the servers of a protracted string of victims, together with Software program AG IT, Maastricht College, ExecuPharm, and Indiabulls.