Fortinet has confirmed what it describes as a “limited” third-party data breach after a threat actor claimed they stole the company’s 440 GB of files.
“An individual gained unauthorized access to a limited number of files stored on Fortinet’s instance of a third-party cloud-based shared file drive, which included limited data related to a small number (less than 0.3%) of Fortinet customers,” the company said.
Fortinet says it immediately contained the incident by terminating the threat actor’s access, launching an investigation, and notifying law enforcement authorities and some cybersecurity agencies globally.
“Limited” Fortinet data breach leaks 440 GB of files
However, given the limited scope of the cyber incident, the company says the data breach has not “resulted in malicious activity affecting any customers.”
In addition, it did not affect the company’s operations, cause the deployment of ransomware, or compromise the company’s corporate network. The data breach also only affected customers in the Asia-Pacific region.
Customer and employee resources, financial reports, Indian HR documents, product information, marketing strategies, US sales reports, and professional services, were exposed during the cyber incident.
However, the Sunnyvale, California-based cybersecurity company doubts the data breach would materially impact its operations or the results of its financial condition.
Meanwhile, Fortinet has engaged a leading cyber forensics firm and implemented additional security measures, including enhanced account monitoring to prevent a similar data breach.
“A leading external forensics firm was engaged to validate our own forensics team’s findings. Moreover, we have put additional internal processes in place to help prevent a similar incident from reoccurring, including enhanced account monitoring and threat detection measures.”
“Fortibitch” discloses an embarrassing Fortileak Fortinet data breach
The Fortinet data breach surfaced when a threat actor called “Fortibitch” offered 440 GB of the company’s Azure SharePoint files allegedly stolen from an unsecured Amazon S3 bucket.
In light of the recent data breach, the attacker mocked the company’s acquisition of the data loss prevention firm (DLP) Next DLP and cloud security company Lacework.
“Fortinet has recently acquired Next DLP. Fyi, DLP is data loss prevention,” Fortibitch said. “They’ve also acquired Lacework, a cloud security company. Guess what? Their Azure SharePoint got leaked.”
The threat actor also attempted to extort the company by demanding an unspecified ransom amount in exchange for not leaking the stolen data.
However, the company allegedly refused to negotiate, with the company’s CEO Ken Xie saying he would rather “eat some p**p” than pay the ransom. The FBI discourages victims from paying extortion to avoid incentivizing cybercriminals to carry more cyber attacks.
Fortibitch also accused the company of failing to file the regulatory Form 8-K with the U.S. Securities and Exchange Commission (SEC). The federal agency requires publicly traded companies to submit the form within 72 hours, disclosing the material impact of a cybersecurity incident.
However, Fortinet says the filing was unnecessary due to the negligible material impact the data breach had on the company’s result of operations or financial condition.
Yet another Fortinet cybersecurity incident
While Fortinet attributes the latest data breach to a third-party vendor, the company’s slew of vulnerabilities has dominated cybersecurity headlines, leaving millions of customers, including government agencies, at risk of severe cyber attacks.
“Another top cybersecurity company suffers a cyber-related incident, so this must be a trend?” Jim Routh, Chief Trust Officer at cybersecurity company Saviynt, asked.
“Not exactly, in this case, there is not a major business disruption (like the CrowdStrike incident), and the root cause is related to a cybercriminal/threat actor who used compromised credentials to an AWS S3 bucket to get access to customer information from Pacific Rim Fortinet customers.”
In June 2024, Chinese hackers breached the Netherlands Ministry of Defense via two-month-old zero-day Fortigate vulnerabilities that also impacted another 20,000 users.
In February of the same year, Fortinet discovered critical flaws affecting over 100,000 users and was targeted by the Chinese hacking group Volt Typhoon. A month earlier, the cybersecurity company had also discovered two FortiOS and FortiProxy vulnerabilities.
In May 2023, hackers also breached the GitHub repositories of Panopta, a network monitoring and diagnostics platform that Fortinet acquired in 2020.
In October 2022, Fortinet discovered the FortiGate firewall and FortiProxy critical vulnerability CVE-2022-40684 that could allow attackers to log into vulnerable devices without authentication.
“Modern business IT ecosystems are complex, relying on external providers and a hodgepodge of “shared responsibility” agreements as pertains to security,” noted Evan Dornbush, former NSA cybersecurity expert. “So long as the data is valuable, attackers will take interest.