Cyber security firm Fortinet has confirmed it suffered a data breach after a new user on a hacking forum published an alleged 440GB of stolen data.
Fortinet is the world’s third-largest cyber security firm behind Palo Alto and CrowdStrike.
Most known for its endpoint protection and firewall products, the US-based firm serves most of the Fortune 500 list and has a notable foothold in Australia’s cyber security market.
On Thursday, a member of a popular hacking forum claimed to have attacked Fortinet through a storage instance on Microsoft Sharepoint, allegedly stealing and publishing some 440GB of stolen data.
“440GB of data available,” said the hacker, going by the username ‘Fortibitch’.
“You will need a S3 client to login, not via a browser.
“Go ahead.”
Fortinet soon after confirmed it had suffered a data breach impacting a “limited number of files” which were stored on a “third-party cloud-based shared file drive”.
These files included “limited data” related to “less than 0.3 per cent” of Fortinet customers: about 2,000 of the company’s approximate 755,000 client base.
On Thursday, the company said there was no indication the incident had resulted in “malicious activity affecting any customers” – though it is unknown how many people have downloaded the leaked data and could use it for malicious activity at a later date.
“Fortinet’s operations, products, and services have not been impacted, and we have identified no evidence of additional access to any other Fortinet resource,” the company said in a statement.
“The incident did not involve any data encryption, deployment of ransomware, or access to Fortinet’s corporate network.”
The leak came shortly after Fortinet finalised an acquisition of AI-powered cloud security provider Lacework.
Notably, the hacker said Lacework is responsible for the allegedly leaked drive behind Fortinet’s data breach.
The threat actor – who appears to be using an anonymous, throwaway account – said they tried to extort a ransom payment out of Fortinet but was personally rebuffed by chief executive Ken Xie.
Meanwhile, their forum post has attracted nearly 7,000 views at the time of writing, and points visitors to a public cloud storage container or ‘Amazon S3 bucket’ for access to the data.
“I'm not selling it,” said the hacker.
“It's completely free and already published.”
Most forum users struggled to perform the technical steps needed to access the alleged leak bucket – and Information Age has since confirmed it is no longer available to the public.
“I will share the data another way,” said the hacker.
Asia-Pacific customers impacted
In 2015, Fortinet ramped up its distribution efforts in Australia and New Zealand, cementing a competitive spot against the likes of Cisco and Juniper Networks as a leading firewall and security vendor for Aussie organisations and data centres.
As reported by Capital Brief, Fortinet's data breach may have occurred as far back as last month, and affects the data of customers in the Asia-Pacific.
While Fortinet did not tell Information Age how many of its Aussie customers had been impacted by the incident, its domestic clients include bakery chain Bakers Delight, rail operator Pacific National, NSW insurer Icare, and the WA Department of Education.
Recently, the company also joined CrowdStrike and Microsoft on the list of endpoint protection suppliers which are approved to supply to the Victorian government.
In a submission to Australia's 2023-2030 Cyber Security Strategy, Fortinet further described itself as a “trusted partner across many industries”, and boasted its role in the safety and reliability of “a wide variety of [Australia’s] most critical infrastructure”.
Home Affairs did not respond to Information Age when asked whether any Australian customers of Fortinet had been impacted, though a department spokesperson said the National Office of Cyber Security is “aware of reports regarding a potential cyber incident impacting Fortinet and stands ready to assist”.
Fortinet says it has commenced investigations, notified law enforcement agencies globally, and contained the incident by terminating unauthorised access.
