Investors join nationwide law firm suit
Multiple class action lawsuits have already been launched in the United States following the massive data breaches and exploitation related to Fortra's GoAnywhere MFT file transfer software in January.
Now those lawsuits may be piling up north of the border. A law firm in Saskatchewan, Canada - Merchant Law Group, has launched a nationwide class action suit. The claimants in this suit are Canadian investors in Mackenzie Financial who allege their personal information was compromised in a hack linked to GoAnywhere.
The defendants in this case include Mackenzie Financial and Edward Jones; Investor.com, a company responsible for managing information provided to clients of investment firms; and Fortra.
For a class action suit to move forward, it needs the approval of a judge.
The lawsuit brought forth on behalf of Mackenzie investors residing in B.C., Manitoba, Saskatchewan, and Newfoundland and Labrador, asserts that Mackenzie and Edward Jones enlisted the services of Investor.com for data transfer. This included the exchange of personal and financial details between employees and partners. Investor.com and Edward Jones purportedly utilized the cloud version of GoAnwhere (named GoAnywhere MFTaaS) for this purpose.
According to the lawsuit, hackers took advantage of a zero-day flaw in GoAnywhere MFTaaS in late January. This allowed them to set up unauthorized accounts in the systems of certain public and private sector clients and proceed to duplicate data. Fortra confirmed this incident in a public statement later.
On March 28, Investor.com allegedly informed Mackenzie and Edward Jones about the breach in GoAnywhere MFTaaS and revealed that names, addresses, and Social Insurance numbers of Mackenzie's customers had been exposed.
The Cl0p ransomware group has publicly claimed responsibility for the breach. The lawsuit attempts to link this recent attack to a similar incident that occurred in 2021, where the Cl0p gang exploited a vulnerability in the Accellion file transfer application.
"The Defendants failed to take precautionary steps despite the well-documented history of Clop attackers employing similar strategies to steal data from over 100 companies using Accellion FTA," says the lawsuit. It further claims that despite numerous advisories published in 2021 detailing the cause of the previous attack and suggesting prevention methods, the defendants didn't show due diligence in thwarting potential attacks on GoAnywhere.
These accusations are yet to be substantiated in court.
In May, Mackenzie Financial assured InvestmentExecutive.com that customers' financial details, such as account balances and holdings, were not impacted by the breach.
Several organizations have disclosed that they fell prey to the GoAnywhere vulnerability, including Hitachi Energy, Cineplex, Onex, and Charles Schwab/TD Ameritrade.
In the United States, various class actions have been filed against both Fortra and its clients. DataBreachToday.com reports that NationsBenefits Holdings, a third-party benefits administrator, and health insurance provider Aetna are among the implicated parties. The allegations in these lawsuits are yet to be confirmed in court.
