This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Rio Tinto

Summary

Rio Tinto warned in March 2023 that the personal data of some past and present Australian staff may have been stolen as part of a criminal cyberattack on GoAnywhere, a file transfer tool used by the company's payroll services team. The breach potentially exposed payslips and overpayment letters for a small portion of employees based in Australia, with the data related to certain records processed in January 2023. The incident was part of the broader Cl0p ransomware group's exploitation of a zero-day vulnerability in the GoAnywhere software.

What Happened

The potential data breach stemmed from a third-party cyber attack against GoAnywhere, a file transfer tool used by Rio Tinto's payroll services team. The Cl0p ransomware group exploited a zero-day vulnerability (CVE-2023-0669) discovered in Fortra's GoAnywhere software on 30 January 2023. The vulnerability remained unpatched until 7 February, during which time the Cl0p group compromised numerous organisations globally.

The Cl0p ransomware gang announced on its dark web site around 17 March that it had successfully hacked the mining company. Rio Tinto reported the breach to affected staff in late March 2023, several weeks after first becoming aware of the incident.

The data related to certain records processed by Rio Tinto's payroll services team in January 2023, including payslips and overpayment letters for a small portion of past and present employees based in Australia.

Impact on Individuals

A small number of Rio Tinto's Australian staff, both current and former employees, were potentially affected by the breach. The compromised data included:

  • Payslips (containing names, salary information, bank account numbers)
  • Overpayment letters
  • Other payroll-related documents processed in January 2023

The exposure of payslips is concerning as they typically contain comprehensive employment and financial information, including tax details, superannuation information, and bank account numbers. This information could be used for identity theft, fraudulent claims, or targeted social engineering attacks.

Organisational Response

Rio Tinto expressed being "deeply disappointed" that the incident occurred with their vendor and offered "sincere apologies" to those impacted. The company notified affected staff and provided guidance on protective measures they should take.

The incident was part of a much broader global campaign by the Cl0p ransomware group targeting organisations using the vulnerable GoAnywhere file transfer software. Other organisations affected by the same campaign included Crown Resorts, the Tasmanian Government, and numerous other companies and government agencies worldwide.

Rio Tinto's incident highlighted the risks associated with supply chain attacks and the potential for payroll data to be compromised through third-party vendor breaches, even when organisations themselves maintain strong internal security controls.

Verification Source: View original statement