A ransom group linked to one of the year's largest ransom campaigns has dumped stolen Rio Tinto data on the dark web, including employee payroll information.

On 23 March, mining giant Rio Tinto revealed a third-party cyber attack against one of its suppliers, GoAnywhere, could have exposed the personal data of current and former Australian employees.

Rio initially told its staff that while threats had "been made by a cyber criminal group" to release data on the dark web, it was unsure whether the cyber criminal group actually possessed the stolen data.

Since then, ransom group Cl0p – which claims responsibility for the alleged data hack – has updated its dark web page to include a slew of purported Rio Tinto data.

A listing for Rio Tinto on the group's blog reads: "The company doesn't care about its customers, it ignored their security!!!" before going on to enumerate a collection of allegedly stolen files and folders.

The criminal group also uploaded a selection of sample data which includes alleged Rio Tinto payroll information, employee overpayment summaries, child support materials, and part of a spreadsheet ominously labelled "All_Firewalls".

Personal details such as first names, last names and addresses also appeared among the hacker forum's sample of allegedly leaked data.

Rio's apparent data leak stems from a third-party security incident at GoAnywhere – a file transfer tool offered by cyber security firm Fortra.

On 30 January, Fortra uncovered a zero-day vulnerability (now identified as CVE-2023-0669) in its GoAnywhere software – it was eventually patched on 7 February, but ransom gang Cl0p since claims it has repeatedly exploited the vulnerability for one of the biggest ransom sprees of the year.

The Cl0p group claims to have stolen data from more than 130 organisations so far, including confirmed breaches at Japanese energy provider Hitachi Energy and British multinational conglomerate Virgin.

Rio Tinto's listing on the criminal group's dark web page initially displayed no stolen data – as was the case for many of Cl0p's eventual victims before an eventual data dump.

Information Age has reached out to Rio Tinto for comment.

Tasmanian Government appears among listed victims

The Tasmanian Government is currently investigating the compromise of GoAnywhere after it too reported being impacted by the landmark third-party data breach.

After an initial statement on late Friday which offered scant details about a "breach of a third-party file transfer service", Technology Minister Madeleine Ogilvie provided a further update on Sunday, declaring the government was taking "swift action" to investigate the breach and ascertain if any information had been compromised.

"The Tasmanian Government continues to investigate a compromise of a third-party file transfer service, which may have resulted in the loss of data held by the Government," said Ogilvie.

"The Tasmanian Government is one of many organisations using the third-party file transfer service GoAnywhere MFT, which disclosed a software vulnerability that had possibly been exploited globally."

According to the ABC, Ogilvie told reporters investigations had so far shown no data had been compromised.

"At this time, I can say we are not aware that any government information has been released, but the matter is ongoing," she said.

Ogilvie went on to emphasise GoAnywhere "transfers information" and "is not a storage system", but refused to disclose what information was transferred by or stored on the platform.

Labor's Jen Butler levied criticism at the government's initial announcement of the breach, citing a lack of detail about "what precisely has been breached, how many Tasmanians may be affected or what type of personal information may be at risk."

"Given the valuable information held by the government on all Tasmanians – including driver licence details, births, deaths and marriages data and medical records, it is vital that Tasmanians know their personal information could be at risk," said Butler.

Ogilvie said the security of government information and the safety of Tasmanians "remains of paramount importance", and the government's cyber security team would "continue to work closely with federal experts" as investigations continue.

Ogilvie also emphasised that should the investigation reveal any personal information has been compromised, the government will "work with anyone affected" and "ensure support is available".

Meanwhile, a listing for the Tasmanian Government has sat on Cl0p's dark web forum for some time now.

The dark web listing does not contain any leaked data at the time of writing – similarly to what was the case for Rio Tinto – but simply reads "Coming soon…" under a section labelled 'information'.

Other victims listed by Cl0p include Crown Resorts, Australia's largest gaming and entertainment group, which has also launched a investigation of its own.