{
	"id": "0105383d-a17f-47f2-99b5-317ba8d4408a",
	"created_at": "2026-04-06T00:22:25.728793Z",
	"updated_at": "2026-04-10T13:11:36.371834Z",
	"deleted_at": null,
	"sha1_hash": "0862fc27df0a2f1e905022e214d6071621e9d315",
	"title": "Clop ransomware claims Saks Fifth Avenue, retailer says mock data stolen",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1492882,
	"plain_text": "Clop ransomware claims Saks Fifth Avenue, retailer says mock data\r\nstolen\r\nBy Ax Sharma\r\nPublished: 2023-03-21 · Archived: 2026-04-05 22:31:29 UTC\r\nThe Clop ransomware gang claims to have attacked Saks Fifth Avenue on its dark web leak site.\r\nThe cyber security incident is among Clop's ongoing attacks against vulnerable GoAnywhere MFT servers belonging to\r\nestablished enterprises. Although the company states no real customer data is impacted, it did not address if corporate or\r\nemployee data was stolen.\r\nFounded in 1867 by Andrew Saks and headquartered in New York City, Saks Fifth Avenue remains among prominent luxury\r\nbrand retailers serving the U.S., Canada and parts of the Middle East.\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-claims-saks-fifth-avenue-retailer-says-mock-data-stolen/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-claims-saks-fifth-avenue-retailer-says-mock-data-stolen/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nClop on a GoAnywhere exploit spree\r\nYesterday, the Clop ransomware gang listed \"Saks Fifth Avenue\" on its data leak website among their latest victims, as seen\r\nby BleepingComputer:\r\nCl0p ransomware claims to have attacked Saks Fifth Avenue (BleepingComputer)\r\nThe threat actor has not yet disclosed any additional information, such as what all data it stole from the luxury brand\r\nretailer's systems, or details about any ongoing ransom negotiations.\r\nBleepingComputer has confirmed, however, the cyber security incident is linked to Clop's ongoing attacks targeting\r\nGoAnywhere servers vulnerable to a security flaw.\r\nThe flaw, now tracked as CVE-2023-0669, enables attackers to gain remote code execution on unpatched GoAnywhere\r\nMFT instances with their administrative console exposed to Internet access.\r\nGoAnywhere MFT's developer Fortra (formerly HelpSystems) had previously disclosed to its customers that the\r\nvulnerability had been exploited as a zero-day in the wild and urged customers to patch their systems. The official advisory\r\nremains hidden to the public, but was earlier made public by investigative reporter Brian Krebs.\r\nIn February, Clop reached out to BleepingComputer and claimed it had breached 130+ organizations and stolen their data\r\nover the course of ten days by exploiting this particular vulnerability on enterprise servers.\r\nThis month, Hitachi Energy disclosed a data breach by Clop resulting from the same zero-day.\r\nSaks says no real customer data stolen\r\nBleepingComputer reached out to Saks to better understand the scope of this incident. A spokesperson confirmed the\r\nincident was linked to Fortra.\r\n\"Fortra, a vendor to Saks and many other companies, recently experienced a data security incident that led to mock customer\r\ndata being taken from a storage location used by Saks,\" a Saks spokesperson told BleepingComputer.\r\n\"The mock customer data does not include real customer or payment card information and is solely used to simulate\r\ncustomer orders for testing purposes.\"\r\nWhile the retail giant states no \"real\" customer data or payment information was stolen, it did not answer our follow up\r\nquestion, as to whether corporate or employee data was compromised in this incident.\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-claims-saks-fifth-avenue-retailer-says-mock-data-stolen/\r\nPage 3 of 4\n\n\"We take information security very seriously, and are conducting an ongoing investigation into this incident alongside\r\noutside experts and law enforcement. As organizations increasingly face cybersecurity threats, we remain committed to\r\nensuring the safety of the information we hold,\" concluded Saks in its statement to us.\r\nFor the avoidance of doubt, Saks OFF 5TH—while previously a subsidiary of Saks Inc., is now a separate company and as\r\nsuch not linked to this incident.\r\nIn 2018, the Fin7 cybercrime syndicate had hacked Saks Fifth Avenue and Lord \u0026 Taylor to steal payment card information\r\nof 5 million customers. Nearly a year prior to that, BuzzFeed News had reported that Saks Fifth Avenue was storing personal\r\ninformation of tens of thousands of customers on publicly-accessible pages.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/clop-ransomware-claims-saks-fifth-avenue-retailer-says-mock-data-stolen/\r\nhttps://www.bleepingcomputer.com/news/security/clop-ransomware-claims-saks-fifth-avenue-retailer-says-mock-data-stolen/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/clop-ransomware-claims-saks-fifth-avenue-retailer-says-mock-data-stolen/"
	],
	"report_names": [
		"clop-ransomware-claims-saks-fifth-avenue-retailer-says-mock-data-stolen"
	],
	"threat_actors": [
		{
			"id": "9de1979b-40fc-44dc-855d-193edda4f3b8",
			"created_at": "2025-08-07T02:03:24.92723Z",
			"updated_at": "2026-04-10T02:00:03.755516Z",
			"deleted_at": null,
			"main_name": "GOLD LOCUST",
			"aliases": [
				"Anunak",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Silicon "
			],
			"source_name": "Secureworks:GOLD LOCUST",
			"tools": [
				"Carbanak"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf",
			"created_at": "2023-01-06T13:46:38.405479Z",
			"updated_at": "2026-04-10T02:00:02.961112Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"ATK32",
				"G0046",
				"G0008",
				"Sangria Tempest",
				"ELBRUS",
				"GOLD NIAGARA",
				"Coreid",
				"Carbanak",
				"Carbon Spider",
				"JokerStash",
				"CARBON SPIDER"
			],
			"source_name": "MISPGALAXY:FIN7",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bfded1cf-be73-44f9-a391-0751c9996f9a",
			"created_at": "2022-10-25T15:50:23.337107Z",
			"updated_at": "2026-04-10T02:00:05.252413Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"FIN7",
				"GOLD NIAGARA",
				"ITG14",
				"Carbon Spider",
				"ELBRUS",
				"Sangria Tempest"
			],
			"source_name": "MITRE:FIN7",
			"tools": [
				"Mimikatz",
				"AdFind",
				"JSS Loader",
				"HALFBAKED",
				"REvil",
				"PowerSploit",
				"CrackMapExec",
				"Carbanak",
				"Pillowmint",
				"Cobalt Strike",
				"POWERSOURCE",
				"RDFSNIFFER",
				"SQLRat",
				"Lizar",
				"TEXTMATE",
				"BOOSTWRITE"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82",
			"created_at": "2022-10-25T16:07:23.619566Z",
			"updated_at": "2026-04-10T02:00:04.690061Z",
			"deleted_at": null,
			"main_name": "FIN7",
			"aliases": [
				"APT-C-11",
				"ATK 32",
				"G0046",
				"Gold Niagara",
				"GrayAlpha",
				"ITG14",
				"TAG-CR1"
			],
			"source_name": "ETDA:FIN7",
			"tools": [
				"7Logger",
				"Agentemis",
				"Anubis Backdoor",
				"Anunak",
				"Astra",
				"BIOLOAD",
				"BIRDWATCH",
				"Bateleur",
				"Boostwrite",
				"CROWVIEW",
				"Carbanak",
				"Cobalt Strike",
				"CobaltStrike",
				"DICELOADER",
				"DNSMessenger",
				"FOWLGAZE",
				"HALFBAKED",
				"JSSLoader",
				"KillACK",
				"LOADOUT",
				"Lizar",
				"Meterpreter",
				"Mimikatz",
				"NetSupport",
				"NetSupport Manager",
				"NetSupport Manager RAT",
				"NetSupport RAT",
				"NetSupportManager RAT",
				"POWERPLANT",
				"POWERSOURCE",
				"RDFSNIFFER",
				"Ragnar Loader",
				"SQLRAT",
				"Sardonic",
				"Sekur",
				"Sekur RAT",
				"TEXTMATE",
				"Tirion",
				"VB Flash",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434945,
	"ts_updated_at": 1775826696,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0862fc27df0a2f1e905022e214d6071621e9d315.pdf",
		"text": "https://archive.orkl.eu/0862fc27df0a2f1e905022e214d6071621e9d315.txt",
		"img": "https://archive.orkl.eu/0862fc27df0a2f1e905022e214d6071621e9d315.jpg"
	}
}