Pension Protection Fund
The Renaissance building in Croydon, South London, houses the Pension Protection Fund's headquarters. Image: PPF

UK Pension Protection Fund latest victim of GoAnywhere hack

The U.K. Pension Protection Fund, one of Britain’s largest asset owners, managing £39 billion, has confirmed it has been affected by the hack of popular file transfer service GoAnywhere.

A large number of organizations have confirmed in recent days that hackers had accessed their data in connection to the incident, including the City of Toronto and the British multinational Virgin.

More than three dozen victims were added to the Clop ransomware group’s leak site on Thursday, all of whom appear to have been affected by the GoAnywhere hack.

Clop originally told Bleeping Computer that it hacked into more than 130 organizations through a vulnerability in GoAnywhere, which is being tracked as CVE-2023-0669.

The PPF said that at the time the incident was first disclosed to them, GoAnywhere’s parent company Fortra “assured us that our data had not been impacted.”

However the PPF is now listed on the Clop site alongside the other victims.

In its statement, the corporation said it “recently became concerned” about a potential incident, “immediately stopped using Go Anywhere and began an investigation, working closely with Fortra and our security partners.”

A spokesperson told The Record that the PPF had not entered into any negotiations with the criminal group.

It confirmed that “some of our current and former employees have been affected” adding: “We have already advised all of those affected of the situation and offered our support and additional monitoring services to help them.”

The U.K.'s data protection regulator, the Information Commissioner's Office, said the PPF filed a report on the incident. "After carefully reviewing the information provided we gave data protection advice and recommendations and closed the case with no further action," an ICO spokesperson said.

The PPF was created in 2004 to protect pension scheme members in cases where the funds lose their members’ money.

It is accountable to parliament although it is not publicly funded, instead receiving a levy from the pension schemes it covers as well as income from its investments.

“We can reassure our current members and levy payers that none of their data has been involved in the breach,” the PPF stated.

Last week, Japanese tech giant Hitachi and Canadian financier Investissement Québec confirmed to The Record that they had suffered hacks related to the Fortra issue after being added to Clop’s list.

Rio Tinto, the world's second-largest metals and mining corporation, said it was investigating the issue after also being added to the list.

Cloud data management giant Rubrik told The Record it was also hacked, while one of the largest health providers in the U.S. and Hatch Bank informed regulatory bodies of their own incidents.

Louise Ferrett, threat intelligence analyst at Searchlight Cyber, noted that this is not the first time Clop has “mass-hacked” a number of organizations by exploiting vulnerabilities in third-party software.

In late 2020 and early 2021 the ransomware group used the same tactic to attack more than 100 organizations with Accellion's legacy File Transfer Appliance, using a combination of zero-day vulnerabilities and a new web shell.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Alexander Martin

Alexander Martin

is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.