First Canadian class action suit filed in GoAnywhere MFT hacks

Several proposed class action lawsuits have been filed in the U.S. stemming from the exploitation and data thefts in January from a vulnerability in Fortra’s GoAnywhere MFT file transfer software. Now a Canadian action has been filed.

Last week a Saskatchewan-based law firm, Merchant Law Group. launched a national class action suit on behalf of Canadian investors in Mackenzie Financial who say their personal information was stolen in a GoAnywhere-related hack.

Named as defendants are Mackenzie Financial and Edward Jones; Investor.com, which manages information delivered to customers of investment firms; and Fortra.

Class action suits have to be approved by a judge before proceeding.

The statement of claim on behalf of Mackenzie investors in B.C., Manitoba, Saskatchewan and Newfoundland and Labrador alleges Mackenzie and Edward Jones hired Investor.com to transfer data — including personal and financial information — between employees and partners. Investor.com and Edward Jones, it alleges, used the cloud version of GoAnwhere (called GoAnywhere MFTaaS) for data exchange.

In late January, the claim alleges, hackers exploited a zero-day vulnerability in GoAnywhere MFTaaS to create unauthorized accounts in some public and private sector customers’ environments, then copied data. That was later confirmed in a public statement from Fortra.

On Mar. 28, the claim alleges, Investor.com notified Mackenzie and Edward Jones of the GoAnywhere MFTaaS breach and that Mackenzie customers’ names, addresses and Social Insurance numbers had been leaked.

The Clop ransomware gang has taken credit for the attack. The statement of claim attempts to tie the GoAnywhere attack to the Clop gang’s exploitation of a vulnerability in the Accellion file transfer application in 2021.

“The Defendants chose not to take preventative measures even after the well-known previous similar tactics used by the Clop attackers to steal the data of more than 100 companies from Accellion FTA,” the statement of claim says. Many advisories were published in 2021 explaining the cause of that attack, the claim says, to prevent similar attacks. However, the claim alleges, the defendants didn’t exercise due diligence in preventing attacks on GoAnywhere.

The allegations haven’t been proven in court.

Fortra was asked Monday to comment on the filing of the suit. No response was received by the end of Tuesday.

In May, Mackenzie Financial told InvestmentExecutive.com that customers’ financial information, such as holdings and account balances, were not exposed in the hack.

A number of companies have admitted they were victimized by the GoAnywhere vulnerability, including the City of Toronto, CineplexOnex, and Hitachi Energy.

In the U.S., a number of class actions have been filed against Fortra and its customers. According to DataBreachToday.com, several involve third-party benefits administrator NationsBenefits Holdings and health insurer Aetna. None of the claims in those suits have been proven in court.

Asked to comment on the likelihood that more Canadian class actions will be filed involving data breaches from GoAnywhere or MOVEit — another file transfer utility — Halifax privacy lawyer David Fraser said it is becoming more clear after the Canadian privacy breach class action floodgates were thrown open in 2012 that courts here are increasingly skeptical of such claims.

“It is not to say that these are trivial by any means,” he added, “but the courts have scaled back the claims that can be made and the threshold to show harm. For example, the Ontario Court of Appeal recently said that you can’t hold a company liable under the “intrusion upon seclusion” after a cyber breach by a bad guy, as it is the bad guy who is doing the intruding. The remaining legal claims generally require showing harm to the individual, which is more than an increased risk of identity theft and fraud. In most of these cyber-intrusion cases, it is very difficult to prove sufficient harm to the individuals to sustain a claim.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs