Mining giant Rio Tinto has revealed a cyber attack against one of its suppliers could have exposed the personal data of former and current Australian employees.

On 23 March, Rio told employees a cyber criminal group had possibly stolen a range of payroll information belonging to a small number of staff, including pay slips and overpayment letters dating back to January.

“Investigations now indicate a possibility that Rio Tinto data may be impacted,” Rio said in a memo to staff.

“This data relates to certain records processed by our payroll services team in January 2023 (such as payslips and overpayment letters) for a small portion of past and present employees based in Australia.”

The potential data breach stems from a third-party cyber attack against file transfer tool GoAnywhere, which was reportedly hacked by fast-growing ransomware group Cl0p.

Rio said it was “deeply disappointed” over the attack at its cloud-based vendor and was quick to downplay the impact against its own staff and systems, claiming it had not found evidence of stolen data appearing online.

“While investigations into this incident are ongoing and threats have been made by a cyber criminal group to release data on to the dark web, to date none of the records described above have been released, and we still do not know if the cyber criminal group holds these records or not,” the staff memo read.

However, the Cl0p ransom group has since updated its dark web leak site to include Rio Tinto in its list of latest victims.

At the time of writing, a scant posting on Cl0p's leak site simply reads “coming soon” under a section labelled “information” for Rio Tinto.

Rio further explained there was no “operational impact or risk” to the Rio Tinto network itself, given that its supplier GoAnywhere is cloud-based.

The mining company said it would continue to monitor the situation closely and would keep potentially impacted employees updated amid ongoing investigations.

GoAnywhere vulnerability wreaks havoc

Cyber security firm Fortra, the owner of GoAnywhere, has been the subject of blame for a growing list of potential data breaches in past weeks, including Rio Tinto.

Japanese energy provider Hitachi Energy recently pointed to Fortra as the source of a third-party incident which potentially exposed its employee data across multiple countries.

Other entities to report collateral damage related to Fortra include US healthcare provider Community Health Systems – which confirmed the personal and medical information of about one million individuals may have been impacted in relation to a Forta security breach – and cyber security vendor Rubrik which said attackers stole corporate data such as customer names, business contacts, and purchase orders.

Fortra's string of recent attacks stem from a zero-day vulnerability it discovered in its GoAnywhere software on 30 January.

The vulnerability remained unpatched until 7 February, and since then ransom gang Cl0p has claimed responsibility for a slew of attacks which exploit the GoAnywhere vulnerability to deploy ransomware on unpatched systems.

The Russia-linked gang's signature ransomware has been one of the most prevalent forms of malware in recent years, and has been linked to cyber incidents impacting the likes of Transport for NSW, the Australian Securities and Investments Commission and Reserve Bank of New Zealand.

While Rio Tinto has confirmed a cyber criminal group threatened to release its data, the mining company has not explicitly stated who is behind the potential data breach.

Rio said the “safety of our people” was its top priority, and expressed “sincere apologies to those impacted”.