Fortinet confirms data breach

Assures customers of limited impact

Cybersecurity firm Fortinet has confirmed a data breach that impacted a small subset of its customers.

In a statement released on its website, the company disclosed that an unauthorised individual gained access to a limited number of files stored on a third-party cloud-based shared file drive.

The breach was first reported by Bleeping Computer, which said it involved the theft of 440 gigabytes of customer data. In a post on a hacking forum, a threat actor known as "Fortibitch" claimed it got access to Fortinet's Azure Sharepoint instance, enabling it to exfiltrate a significant amount of data.

The actor shared credentials to a storage bucket where the stolen data is allegedly stored.

Fortinet did not specify the exact nature of the stolen data, but confirmed that the incident did not involve any data encryption, ransomware, or access to the company's corporate network.

Additionally, there has been no indication of any malicious activity targeting customers as a result of the incident.

The company said the breach affected less than 0.3% of its customer base. Given that Fortinet has well over half a million customers, this suggests that the incident may have impacted at least 1,500 corporate customers.

Fortinet has taken steps to address the breach, including terminating the unauthorised individual's access, notifying law enforcement and cybersecurity agencies, and engaging a leading external forensics firm.

The company has also implemented additional security measures to prevent similar incidents from happening in the future.

It assured customers that the incident was limited in scope and had no material impact on its operations or financial results.

"Protecting the security of our customers and safeguarding our data and the integrity of our business operations is at the forefront of everything we do," Fortinet said, adding that they have "put additional internal processes in place to help prevent a similar incident from reoccurring, including enhanced account monitoring and threat detection measures."

However, the incident raises concerns about the security of Fortinet's customer data and the effectiveness of its own cybersecurity solutions.

It comes just months after a threat actor claimed to have breached the GitHub repositories of Panopta, a company acquired by Fortinet in 2020. The breach resulted in the leak of stolen data on a Russian-speaking hacking forum.

In April, Fortinet patched a critical remote code execution (RCE) vulnerability in FortiClientLinux, among multiple vulnerabilities across various products.

Earlier in March, the company disclosed a critical-severity vulnerability, CVE-2023-48788, affecting FortiClient Endpoint Management Server (EMS). Experts warned of the likelihood of attackers exploiting this bug, given the availability of proof of concepts and historical targeting of Fortinet devices by threat actors.

The same month, security non-profit Shadowserver warned that over 133,000 Fortinet appliances were susceptible to a critical CVE-2024-21762 vulnerability, despite it being patched by Fortinet in early February.