Fortinet confirms data breach, extortion demand

Fortinet confirmed that it suffered a data breach, though it's unclear what types of data the threat actor obtained.

The security vendor published a blog post Thursday evening that disclosed that an unknown threat actor gained unauthorized access to a limited number of files stored on a third-party cloud-based shared file drive. Fortinet said the attacker did not breach its corporate network and that the incident did not affect operations or services.

Fortinet is one of the largest cybersecurity vendors in the industry, offering firewalls, secure access service edge, extended detection and response, and VPN products. In recent years, Fortinet VPNs have come under frequent attacks by threat actors that have exploited several vulnerabilities in the products to gain access to victim organizations.

Thursday's disclosure confirmed that Fortinet has already notified affected customers, as well as law enforcement.

"An individual gained unauthorized access to a limited number of files stored on Fortinet's instance of a third-party cloud-based shared file drive, which included limited data related to a small number (less than 0.3%) of Fortinet customers," Fortinet wrote in the blog post. "To-date there is no indication that this incident has resulted in malicious activity affecting any customers."

Australian news outlet Capital Brief initially reported the breach on Thursday and said the incident affected Fortinet's Asia-Pacific customers. While Fortinet did not disclose those details, it did provide a statement to Cyber Daily and additional media outlets, including TechTarget Editorial, on other aspects of the breach. The initial statement was similar to the blog post Fortinet published late Thursday.

Security researchers first spotted a post on a widely known cybercrime forum in which a threat actor claimed to have 440 GB of leaked data from a Fortinet Azure SharePoint instance. The threat actor said the data was available in their AWS S3 bucket for other forum members to access.

The forum post also claimed that Fortinet cut off negotiations and refused to pay a ransom. The threat actor called out Fortinet co-founder and CEO Ken Xie and questioned why the company had not filed an 8-K form with the U.S. Securities and Exchange Commission to disclose the breach.

While Fortinet has not confirmed those details, the company did say there was no ransomware or encryption involved in the incident. The blog post also said the company does not believe the incident will have a material impact to its financials or operating results.

"After identifying the incident, we immediately began an investigation, contained the incident by terminating the unauthorized individual's access, and notified law enforcement and select cybersecurity agencies globally. A leading external forensics firm was engaged to validate our own forensics team's findings," the blog post said. "Moreover, we have put additional internal processes in place to help prevent a similar incident from reoccurring, including enhanced account monitoring and threat detection measures."

Fortinet did not respond to requests for additional comment at press time.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.