Fortinet admits miscreant got hold of customer data in the cloud

Fortinet has admitted that bad actors accessed cloud-hosted data about its customers, but insisted it was a "limited number" of files. The question is: how limited is "limited"?

"An individual gained unauthorized access to a limited number of files stored on Fortinet's instance of a third-party cloud-based shared file drive, which included limited data related to a small number (less than 0.3 percent) of Fortinet customers," the security giant announced in a blog post.

"Fortinet's operations, products, and services have not been impacted, and we have identified no evidence of additional access to any other Fortinet resource. The incident did not involve any data encryption, deployment of ransomware, or access to Fortinet's corporate network."

The business stated that no malicious activity directed against its customers had been detected as a result of the intrusion. It has terminated the miscreant's access to the data and called in law enforcement and notified "select cybersecurity agencies" about the incident.

On Thursday morning, meanwhile, someone calling themselves "Fortibitch" posted to a dark web forum and offered a whopping 440GB of Azure SharePoint files for download – containing Fortinet customer data stolen from an open Amazon S3 bucket. They claimed to have approached Fortinet for a ransom payment in exchange for not leaking the data, but stated the infosec business declined to cough up.

• China's FortiGate attacks more extensive than first thought
• More than 133,000 Fortinet appliances still vulnerable to month-old critical bug
• Fortinet's week to forget: Critical vulns, disclosure screw-ups, and that toothbrush DDoS attack claim
• AMD internal data reportedly offered for sale

Fortibitch also accused the biz of not filing an SEC form 8-K detailing the loss – which would alert shareholders and customers. Fortinet commented that "given the limited nature of the incident, we have not experienced, and do not currently believe that the incident is reasonably likely to have, a material impact to our financial condition or operating results," so no 8-K is needed.

It wouldn't be the first, the second, or even the twentieth time a third-party supplier has been responsible for data falling into the wrong hands. But when your business is security, such incidents can cause embarrassment and reputational harm.

Fortinet has had a bad run of things this year on the security front, including:

• January 2024 – Fortinet patched two more critical holes in its FortiOS and FortiProxy HA cluster code base. It's not known if these were exploited beforehand.
• February 2024 – A week to forget began badly with a pair of critical flaw fixes, then another in its operating system. Customers were slow to respond, leaving over 100,000 vulnerable devices online, even though China's Volt Typhoon cracking gang started targeting Fortinet devices.
• June 2024 – Security at the Netherlands Ministry of Defense was broken by Chinese hackers using a vulnerability that went undiscovered for two months. Around 20,000 other FortiGate firewalls were attacked in the same way before Fortinet found out.

In short, Fortinet can hardly afford to notch up more security breaches. The theft of nearly a half-terabyte of customer data is a serious business and dismissing the incident as "limited" might not be the right approach.

We'll update the story as more information comes in. ®