Hatch Bank reported a data breach after threat actors stole the personal information of almost 140,000 customers from the company’s Forta GoAnywhere MFT secure file-sharing platform. On January 29th, Forta experienced a cyber incident when they learned of a vulnerability that was impacting their systems. On February 3rd, Hatch Bank learned their files contained on the Forta system were part of the breach. Hatch Bank says they conducted a review of the data that was stolen and determined that customers’ names and social security numbers were stolen by the attackers. Though it has not been publicly disclosed by Forta or Hatch Bank, the Clop ransomware group has claimed responsibility for the attack.
Hatch Bank has offered to provide free access to credit monitoring services for 12 months to any affected individuals. This attack is just one example of an incident involving a third-party service. Whenever an organization is looking to do business with a third-party company, they should go through their own security audit of the company before signing a contract. This can include paying for a penetration test or requesting recent penetration test results, as well as reviewing required security audit documentation.