March 20, 2023

Last week, we reported that Rubrik experienced unauthorized access to a non-production, IT testing environment as a result of the GoAnywhere vulnerability. Upon discovering the unauthorized access, Rubrik quickly took down the involved non-production environment and contained the threat. Additionally, in partnership with third-party forensic experts, we launched a comprehensive investigation to understand the nature and scope of the incident. The forensic investigation, which included a comprehensive scan of all of our environments, has determined the following:

  1. The unauthorized access did NOT include data we secure on behalf of our customers via Rubrik products or services. In addition, there was no sensitive data stored in the impacted non-production, IT testing environment.

  2. There is no evidence of lateral movement to any other system in our network, meaning the unauthorized access was limited to a single non-production, IT testing environment. This environment was designed to test our internal IT business systems and integrations (e.g., Rubrik web traffic, marketing data, sales leads) and is unrelated to our product development environment, our hosting platform, our SaaS services, or support environments for customers. In short, the unauthorized access was strictly contained to this single, non-production, IT testing environment.

  3. The GoAnywhere software is not and was never used as any component in any of our products, or SaaS services or support environments we provide to our customers or partners.

  4. No evidence of additional malicious activity or compromise. We have scanned our network, including both production and non-production environments, to look for any additional unauthorized access or lateral movements resulting from the GoAnywhere vulnerability, and we have not uncovered any evidence of additional malicious activity or compromise. While we don’t disclose our internal cybersecurity practices, we use a combination of industry-leading tools to defend, monitor, and alert on the status and security of our networks. 

  5. Sensitive data was not stored in the impacted, non-production, IT testing environment. Out of an abundance of caution, we have diligently searched for data that may be considered sensitive. We have determined that no sensitive personal data (such as government-issued IDs, health information, Social Security numbers, payment card numbers or similar information) was stored in this environment or taken or accessed in any way. 

As a cybersecurity-focused organization, securing our customers’, partners’ and employees’ data is a key and critical business priority. We greatly appreciate the cooperation and understanding we’ve received from our customers and partners. As we internalize the valuable lessons learned in responding to this event, we move forward stronger and more resilient than before.

March 14, 2023

In February of this year, one of our vendors, Fortra, the developers of the GoAnywhere Managed File Transfer, advised of a zero-day remote code execution vulnerability. It has been reported that this vulnerability is being actively exploited across more than 100 organizations globally.

We detected unauthorized access to a limited amount of information in one of our non-production IT testing environments as a result of the GoAnywhere vulnerability. Importantly, based on our current investigation, being conducted with the assistance of third-party forensics experts, the unauthorized access did NOT include any data we secure on behalf of our customers via any Rubrik products.  

The current investigation has determined there was no lateral movement to other environments. Rubrik took the involved non-production environment offline and leveraged our own security systems and solutions to quickly contain the threat and help restore our test environment. 

Rubrik has been conducting a thorough, comprehensive review of the involved data in partnership with a third-party firm. The involved data mainly consists of Rubrik internal sales information, which includes certain customer and partner company names, business contact information, and a limited number of purchase orders from Rubrik distributors. The third-party firm has also confirmed that no sensitive personal data such as social security numbers, financial account numbers, or payment card numbers were exposed.

As a cybersecurity company, the security of customer data we maintain is our highest priority. If we learn additional, relevant information we will update this post. We sincerely regret any concern this may cause you, and as always, we appreciate your continued partnership and look forward to our ongoing work together.