Fintech banking platform Hatch Bank has reported a data breach after hackers stole the personal information of nearly 140,000 customers of the company’s Fortra GoAnywhere MFT secure file-sharing platform.

Hatch Bank is a financial technology company enabling small businesses to access banking services from other financial institutions.

As reported by Tech CrunchData breach notifications sent to affected customers and filed with the Attorney General’s offices warned that hackers were exploiting a vulnerability in GoAnywhere MFT software to steal the data of 139,493 customers.

“On January 29, 2023, Fortra experienced a cyber incident when it learned of a localized vulnerability in its software,” the data breach notification from Hatch Bank warned.

“On February 3, 2023, Hatch Bank was notified by Fortra of the incident and learned that its files on Fortra’s GoAnywhere site were subject to unauthorized access.”

Hatch says they conducted a review of the data that was stolen and determined that the customers’ names and social security numbers were stolen by the attackers.

The bank added that it was offering free access to credit monitoring services for twelve months to those affected.

This is the second confirmed data breach caused by GoAnywhere MFT attacks, the first disclosed by community health systems (CHS) last month.

​Clop ransomware gang behind GoAnywhere breaches

While Hatch Bank did not reveal which threat actor carried out the attack, the Clop ransomware gang told BleepingComputer they were behind it. these attacks and had stolen data from more than 130 organizations.

The ransomware gang claims to have used zero-day vulnerability in Fortra’s GoAnywhere MFT secure file-sharing platform to steal data for ten days.

The vulnerability is now identified as CVE-2023-0669 and is a remote code execution vulnerability allowing remote hackers to gain access to servers. Go anywhere revealed his vulnerability to customers in early February after learning that it was being actively exploited in attacks.

A the exploit was made public for the vulnerability one day before the platform received an emergency patch February 7.

BleepingComputer could not independently confirm Clop’s claims that they were behind the attacks, and Fortra never responded to our emails.

However, Huntress Threat Intelligence Manager Joe Slowik Also found links between the GoAnywhere MFT and the TA505the hacking group known for deploying the Clop ransomware.

Clop is known to have used a similar tactic in December 2020, when they exploited a zero-day vulnerability into Accellion’s File Transfer Appliance (FTA) system to steal data from companies around the world.

Like GoAnywhere MFT, Accellion FTA allows organizations to securely share files with their customers.

As part of these attacks, the Clop ransomware gang attempted to extort victims by demanding a ransom of $10 million to prevent the publication of the stolen data.

The Accellion FTA attacks caused massive damage, with many organizations disclosing related breaches, including Morgan Stanley, Qualys, energy giant Shell, supermarket giant Kroger. Several universities around the world have also been affected, including Stanford Medicine, University of ColoradoUniversity of Miami and University of California.

While it’s unclear if Clop is demanding similar ransoms from victims of GoAnywhere MFT attacks, if the gang follows similar tactics, we’ll start to see stolen data appear on their data leak site in the future.