Fortinet confirms data breach after allegedly refusing to pay ransom


Fortinet, the third-largest cybersecurity company in the world, has confirmed it suffered a data breach after a threat actor released 440 gigabytes of exfiltrated data online.

The threat actor, called “Fortibitch,” said that it had leaked the data allegedly taken from Fortinet’s SharePoint repository after an unsuccessful extortion attempt.

According to the crook, Fortinet, a California-based firm selling secure networking products like firewalls, routers, and VPN devices, allegedly wrote to them that the company would rather “eat poop than pay a ransom.”

ADVERTISEMENT

Fortinet soon confirmed that customer data was stolen from a “third-party cloud-based shared file drive.”

“An individual gained unauthorized access to a limited number of files stored on Fortinet’s instance of a third-party cloud-based shared file drive, which included limited data related to a small number (less than 0.3%) of Fortinet customers,” the firm said in a blog post.

The incident reportedly affected customers within the Asia-Pacific region but Fortinet stressed that there was no indication that the incident “has resulted in malicious activity.”

Ransomware wasn’t deployed, and Fortinet’s corporate network wasn’t accessed, the firm said.

Still, according to CloudSEK, an AI company that predicts cyber threats and shared its report of the incident with Cybernews, the leaked data included quite sensitive Fortinet documents.

They consist of employee resources, financial reports, HR documents from India, product offerings, US sales reports, professional services, marketing strategies, and customer information.

CloudSEK has also noticed that “Fortibitch” mentions a few other hacking groups on a hacking forum, namely DC8044 which is a collective based in Ukraine.

“There are no direct links between ‘Fortibitch’ and DC8044, but the tone suggests a history between the two. Based on the available information, we can ascertain with medium confidence that the threat actor is based out of Ukraine,” said CloudSEK.

ADVERTISEMENT

Fortinet also said it has immediately begun an investigation and contained the incident by terminating the unauthorized individual’s access. Law enforcement and cybersecurity agencies globally were notified, too.