Fortinet confirms data theft and extortion demands

Fortinet confirmed that a data theft had occurred, but it is unclear what type of data the attacker obtained.

The security vendor published a blog post Thursday evening saying that an unknown threat actor had gained unauthorized access to a limited number of files stored on a third-party cloud-based shared file drive. Fortinet said the attacker did not penetrate the company's network and the incident did not impact operations or services.

Fortinet is one of the largest cybersecurity solution providers in the industry, offering firewalls, Secure Access Service Edge, advanced detection and response capabilities, and VPN products. In recent years, Fortinet VPNs have been frequently attacked by threat actors who exploited various vulnerabilities in the products to gain access to the affected organizations.

Thursday's disclosure confirmed that Fortinet has already notified affected customers and law enforcement authorities.

“An individual gained unauthorized access to a limited number of files stored on Fortinet's instance of a third-party cloud-based shared file drive. This included limited data on a small number (less than 0.3%) of Fortinet customers,” Fortinet wrote in the blog post. “To date, there is no indication that this incident resulted in malicious activity affecting customers.”

Cyber ​​Daily first reported on the breach on Thursday, saying the incident affected Fortinet's customers in the Asia-Pacific region. While Fortinet did not disclose those details, it did provide a statement to Cyber ​​Daily and additional media outlets, including TechTarget Editorial, about other aspects of the breach. The initial statement was similar to the blog post Fortinet published late Thursday.

Security researchers first discovered a post on a well-known cybercrime forum where a threat actor claimed to have 440 GB of leaked data from a Fortinet Azure SharePoint instance. The threat actor said the data was available in his AWS S3 bucket, which other forum members could access.

The forum post also claimed that Fortinet broke off negotiations and refused to pay a ransom. The threat actor called out Fortinet co-founder and CEO Ken Xie, asking why the company had not filed an 8-K form with the U.S. Securities and Exchange Commission to disclose the breach.

Although Fortinet has not confirmed these details, the company stated that neither ransomware nor encryption was involved in the incident. The blog post also said that the company does not expect the incident to have a material impact on its financials or operating results.

“Upon becoming aware of the incident, we immediately initiated an investigation, contained the incident by blocking the unauthorized individual's access, and notified law enforcement and select cybersecurity agencies worldwide. A leading third-party forensics firm was engaged to confirm the findings of our own forensics team,” the blog post said. “In addition, we have implemented additional internal processes to prevent a similar incident from occurring again, including enhanced account monitoring and threat detection measures.”

Fortinet did not respond to requests for further comment at press time.

Arielle Waldman is a news editor at TechTarget Editorial and writes about enterprise security.