Several proposed class action lawsuits have been filed in the U.S. stemming from the exploitation and data thefts in January from a vulnerability in Fortra’s GoAnywhere MFT file transfer software. Now a Canadian action has been filed.
Last week a Saskatchewan-based law firm, Merchant Law Group. launched a national class action suit on behalf of Canadian investors in Mackenzie Financial who say their personal information was stolen in a GoAnywhere-related hack.
Named as defendants are Mackenzie Financial and Edward Jones; Investor.com, which manages information delivered to customers of investment firms; and Fortra.
Class action suits have to be approved by a judge before proceeding.
The statement of claim on behalf of Mackenzie investors in B.C., Manitoba, Saskatchewan and Newfoundland and Labrador alleges Mackenzie and Edward Jones hired Investor.com to transfer data — including personal and financial information — between employees and partners. Investor.com and Edward Jones, it alleges, used the cloud version of GoAnwhere (called GoAnywhere MFTaaS) for data exchange.
In late January, the claim alleges, hackers exploited a zero-day vulnerability in GoAnywhere MFTaaS to create unauthorized accounts in some public and private sector customers’ environments, then copied data. That was later confirmed in a public statement from Fortra.
On Mar. 28, the claim alleges, Investor.com notified Mackenzie and Edward Jones of the GoAnywhere MFTaaS breach and that Mackenzie customers’ names, addresses and Social Insurance numbers had been leaked.
The Clop ransomware gang has taken credit for the attack. The statement of claim attempts to tie the GoAnywhere attack to the Clop gang’s exploitation of a vulnerability in the Accellion file transfer application in 2021.
“The Defendants chose not to take preventative measures even after the well-known previous similar tactics used by the Clop attackers to steal the data of more than 100 companies from Accellion FTA,” the statement of claim says. Many advisories were published in 2021 explaining the cause of that attack, the claim says, to prevent similar attacks. However, the claim alleges, the defendants didn’t exercise due diligence in preventing attacks on GoAnywhere.
The allegations haven’t been proven in court.
Fortra was asked Monday to comment on the filing of the suit. No response was received by the end of Tuesday.
In May, Mackenzie Financial told InvestmentExecutive.com that customers’ financial information, such as holdings and account balances, were not exposed in the hack.
A number of companies have admitted they were victimized by the GoAnywhere vulnerability, including the City of Toronto, Cineplex, Onex, and Hitachi Energy.
In the U.S., a number of class actions have been filed against Fortra and its customers. According to DataBreachToday.com, several involve third-party benefits administrator NationsBenefits Holdings and health insurer Aetna. None of the claims in those suits have been proven in court.
Asked to comment on the likelihood that more Canadian class actions will be filed involving data breaches from GoAnywhere or MOVEit — another file transfer utility — Halifax privacy lawyer David Fraser said it is becoming more clear after the Canadian privacy breach class action floodgates were thrown open in 2012 that courts here are increasingly skeptical of such claims.
“It is not to say that these are trivial by any means,” he added, “but the courts have scaled back the claims that can be made and the threshold to show harm. For example, the Ontario Court of Appeal recently said that you can’t hold a company liable under the “intrusion upon seclusion” after a cyber breach by a bad guy, as it is the bad guy who is doing the intruding. The remaining legal claims generally require showing harm to the individual, which is more than an increased risk of identity theft and fraud. In most of these cyber-intrusion cases, it is very difficult to prove sufficient harm to the individuals to sustain a claim.”