Luxury retailer Saks Fifth Avenue has been targeted by the Clop ransomware gang in a cyberattack on vulnerable GoAnywhere MFT servers belonging to established enterprises.
The threat actor has not disclosed any additional information regarding the incident, such as the data stolen from the luxury brand retailer’s systems or details about any ongoing ransom negotiations.
Clop is known for its ongoing attacks targeting GoAnywhere servers that are vulnerable to a security flaw tracked as CVE-2023-0669. The flaw enables attackers to gain remote code execution on unpatched GoAnywhere MFT instances with their administrative console exposed to internet access.
Fortra, a vendor to Saks and many other companies, recently experienced a data security incident that led to mock customer data being taken from a storage location used by Saks. Although Saks stated that no “real” customer data or payment information was stolen, it did not address whether corporate or employee data was compromised in this incident.
The retail giant is conducting an ongoing investigation into the incident with outside experts and law enforcement.
The Clop ransomware gang has been exploiting the zero-day vulnerability on enterprise servers since February, breaching over 130 organizations and stealing their data.
Hitachi Energy disclosed a data breach by Clop resulting from the same zero-day this month. The vulnerability had been exploited as a zero-day in the wild, and Fortra had previously disclosed to its customers and urged them to patch their systems.
Saks OFF 5TH, previously a subsidiary of Saks Inc., is now a separate company and is not linked to this incident.
Saks Fifth Avenue was previously hacked in 2018 by the Fin7 cybercrime syndicate, resulting in the theft of payment card information from 5 million customers.
BuzzFeed News had also reported a year prior to that incident that Saks Fifth Avenue was storing personal information of tens of thousands of customers on publicly-accessible pages.
