View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
March 29, 2023updated 30 Mar 2023 8:28am

Information on 63,000 children leaks online after Cl0p’s cyberattack on Fortra

A flaw discovered in January has been exploited by the cybercriminals to attack myriad organisations.

By Claudia Glover

Data belonging to 63,000 minors has leaked online after a children’s mental health provider become the latest victim of an ongoing cyberattack on software company Fortra. The company, Brightline, is one of 130 to be hit as part of the attack, perpetrated by Russian ransomware gang Cl0p. It is “extremely likely” that other cybercriminals are now taking advantage of the flaw in Fortra’s system, researchers say.

Brightline, which is part of Blue Shield health insurance, has been impacted by a cyberattack on Fortra. (Photo by Jonathan Weiss/Shutterstock)

Brightline is part of the Blue Shield health insurance company in the US, and a breach notification filed by Blue Shield reveals that data including names, addresses, dates of birth, gender, Blue Shield subscriber ID numbers, phone numbers and email addresses has been stolen.

It is not known if a ransom has been demanded or paid.

Brightline is latest victim of Fortra cyberattack

The attack on Fortra initially took place in January, with the criminals exploiting a security flaw in the company’s GoAnywhere file transfer service, giving them access to files that had been transferred. Cl0p claims to have information on 130 businesses, and has been leaking data ever since.

Fortra has since released emergency security updates for those affected by the flaw, now called CVE-2023-0669, and new victims of the attack continue to come forward.

Since the Brightline disclosure, David Keystone, chief privacy officer at Blue Shield, has written to clients informing them of the breach.

He says the company will offer affected clients a one-year membership to Experian Identity Works to help them track whether their child’s data is being misused. Information belonging to minors is known as “fresh data” on the dark web as it is useful in creating new identities. As such it can sell for a high price.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Brightlines and Fortra have yet to respond to requests for comment from Tech Monitor.

More victims of Fortra breach likely

Victims of the Fortra attack listed by Cl0p on its dark web victim blog include US healthcare provider US Wellness, insurance company MunichRE, Virgin Atlantic’s Virgin Red rewards scheme, publisher Scholastic and cinema chain Cineplex.

Others that have confirmed that their systems have been breached include the City of Toronto, Investissement Québec, Community Healthcare Systems in the US, Hitachi, digital finance incumbent Hatch Bank and cybersecurity giant Rubrik.

The UK Pension Protection Fund, which manages assets worth £39bn, has also been impacted, and said last week it was investigating what had happened.

“Understanding what data may have been compromised and contacting anyone potentially affected has been our top priority. We can assure our current members and levy payers that none of their data has been involved in the breach,” the fund said.

US cybersecurity agency CISA has added the bug to its list of exploited vulnerabilities, announcing that civilian federal agencies must patch the issue as a matter of urgency.

Fortra said in a statement that it had “determined that an unauthorised party accessed the systems via a previously unknown exploit and created unauthorised user accounts.” The statement added that services had been disabled when the breach was discovered, and are now “Being restored on a customer-by-customer basis as mitigation is applied and verified within each environment.”

It added: “We are working directly with customers to assess their individual potential impact, apply mitigations and restore systems.”

Now that the flaw is in the wild it is reasonable to assume that it will be abused by other cybercriminals, Jim Simpson, director of threat intelligence at Searchlight Cyber told Tech Monitor. “I would assess it is extremely likely that other threat actors are taking advantage of this vulnerability,” he says. “Given the nature and availability of the vulnerability and the fact it has already been leveraged, threat actors can take advantage of that knowledge.”

Read more: China hit by cyberattacks from US and allies

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.