Corporate Misconduct Accountability Project
Fortra LLC · class action
IT Firm Fortra Sued After Data Breach Exposed 139,493 Social Security Numbers
Cybersecurity company Fortra LLC is accused of failing to protect sensitive data after a January 2023 breach exposed names and Social Security numbers of approximately 139,493 customers and employees, leaving them vulnerable to identity theft and fraud.
CRITICAL SEVERITY
TL;DR
Fortra LLC, a company that markets itself as a cybersecurity ally, suffered a major data breach in January 2023 that exposed the names and Social Security numbers of approximately 139,493 individuals. The breach occurred when hackers exploited vulnerabilities in Fortra’s GoAnywhere software between January 30-31, 2023. Victims allege the company failed to implement basic security measures despite known risks, leaving sensitive customer and employee data vulnerable to theft and exposing affected individuals to years of potential identity theft and fraud.
This case shows how even cybersecurity companies can fail to protect the data they are entrusted to secure.
139,493
Individuals whose data was compromised
$363
Black market value per healthcare record
12 months
Credit monitoring offered by Fortra
7+ years
Potential duration of identity theft risk
The Allegations: A Breakdown
Core Allegations
What Fortra did · 8 points
| 01 | Fortra stored sensitive data including names and Social Security numbers on systems with known vulnerabilities. The company discovered a vulnerability in its software on January 29, 2023, but unauthorized parties had already accessed files between January 30-31, 2023. | high |
| 02 | Fortra maintained private information in a reckless and negligent manner, leaving it vulnerable to cyberattacks despite the company marketing itself as a cybersecurity ally. The breach was caused at least in part by vulnerabilities in Fortra’s own software. | high |
| 03 | Fortra waited until February 7, 2023 to determine that the compromised information included names and Social Security numbers, and did not notify victims until around February 28, 2023, nearly a month after discovering the breach. | high |
| 04 | The company failed to implement basic security measures like encrypting stored information, monitoring for intrusions, limiting access to sensitive data, and using multi-factor authentication. These failures allowed hackers to access files containing private information. | high |
| 05 | Fortra knew or should have known about the substantial increase in cyberattacks targeting companies like it, yet failed to take necessary steps to secure private information from those known risks. | high |
| 06 | The company failed to ensure that third-party vendors with access to its systems employed reasonable security procedures, creating additional vulnerabilities in its data protection. | medium |
| 07 | Fortra failed to properly train employees in handling sensitive information and maintaining adequate email security practices, leaving additional entry points for attackers. | medium |
| 08 | After the breach, Fortra offered only 12 months of complimentary credit monitoring, which does nothing to compensate victims for damages incurred, time spent dealing with the breach, or the years of ongoing identity theft risk they face. | medium |
Regulatory Failures
How Fortra ignored established standards · 6 points
| 01 | Fortra violated Federal Trade Commission guidelines that require businesses to protect personal customer information, properly dispose of information no longer needed, encrypt information stored on networks, understand network vulnerabilities, and implement policies to correct security problems. | high |
| 02 | The company failed to implement FTC recommendations to use intrusion detection systems, monitor incoming traffic for hacking attempts, watch for large data transmissions, and have response plans ready for breaches. | high |
| 03 | Fortra failed to comply with the NIST Cybersecurity Framework Version 1.1, including standards for access control, data security, protective technology, detection processes, and response coordination. | high |
| 04 | The company failed to meet Center for Internet Security Critical Security Controls standards, which represent established industry benchmarks for reasonable cybersecurity readiness. | high |
| 05 | Fortra violated Section 5 of the Federal Trade Commission Act by failing to employ reasonable and appropriate measures to protect against unauthorized access to confidential consumer data, which the FTC treats as an unfair practice. | high |
| 06 | The company failed to comply with the FTC guideline to not maintain private information longer than necessary, limit access to sensitive data, require complex passwords, use industry-tested security methods, and verify third-party providers have reasonable security measures. | medium |
Profit Over People
Security as a cost to minimize · 6 points
| 01 | Fortra markets itself publicly as Your Cybersecurity Ally offering vulnerability management and data protection services, yet allegedly maintained private information in a reckless and negligent manner vulnerable to cyberattacks, suggesting resources were allocated to revenue generation rather than internal security. | high |
| 02 | The mechanism of the cyberattack and potential for improper disclosure were known risks to Fortra, yet the company chose not to invest sufficiently in preventative measures to protect customer and employee data. | high |
| 03 | Fortra failed to implement basic security practices including educating employees, requiring strong passwords, using multi-layer security with firewalls and anti-malware, encrypting data, using multi-factor authentication, and backing up data despite these being standard industry practices. | high |
| 04 | Part of the price customers paid to Fortra was intended to fund adequate security of the company’s network and customers’ private information, but customers did not receive the data protection they paid for and agreed to receive. | medium |
| 05 | The company collected and derived benefits from customer and employee private information while failing to fulfill its responsibility to protect that information from unauthorized disclosure, prioritizing business operations over data security. | medium |
| 06 | Fortra failed to implement appropriate malware detection software, monitor and limit network ports, protect web browsers and email systems, set up network systems like firewalls and routers properly, and monitor physical security systems. | medium |
Economic Fallout
Costs shifted to victims · 8 points
| 01 | Victims suffered ascertainable losses including out-of-pocket expenses and the value of their time spent monitoring accounts, verifying the breach notification, communicating with banks, exploring credit monitoring options, and dealing with anxiety about potential identity theft. | high |
| 02 | Private information on the black market can sell for as much as 363 dollars per record. Victims suffered diminution in the value of their private information, which is now in the hands of data thieves and has been permanently compromised. | high |
| 03 | Victims face ongoing out-of-pocket costs for purchasing credit monitoring services beyond what Fortra offered, credit freezes, credit reports, and other protective measures to detect and deter identity theft that may continue for years. | high |
| 04 | Identity thieves can use stolen Social Security numbers to open new financial accounts, take out loans, use names to obtain medical services, obtain driver’s licenses with false photos, file fraudulent tax returns, apply for jobs using false identities, rent housing, and give false information to police during arrests. | high |
| 05 | Victims must spend significant time closely monitoring Social Security numbers, medical insurance accounts, bank accounts, and credit reports for unauthorized activity for years to come, time that has been lost forever and cannot be recaptured. | medium |
| 06 | The Social Security Administration warns that obtaining a new Social Security number requires significant paperwork and evidence of actual misuse, and even then may not be effective because credit bureaus and banks can quickly link the new number to the old one, inheriting all the compromised information. | medium |
| 07 | According to a US Government Accountability Office report, law enforcement officials say stolen data may be held for up to a year or more before being used to commit identity theft, and once data is sold or posted online, fraudulent use may continue for years. | medium |
| 08 | Victims paid for services that included data security but received inadequate protection, suffering benefit-of-the-bargain damages because they did not get what they paid for and agreed to receive. | medium |
Worker Exploitation
Employee data also compromised · 4 points
| 01 | The data breach compromised information belonging to current and former employees of Fortra, specifically their names and Social Security numbers, placing workers in the same vulnerable position as external customers. | high |
| 02 | Employees provided their personal information to Fortra as a condition of employment with the implicit understanding it would be kept secure and used only for legitimate employment purposes, but Fortra failed to protect this data. | high |
| 03 | The power imbalance in the employer-employee relationship means workers have little choice but to provide sensitive data like Social Security numbers. Fortra’s alleged failure to safeguard this information represents a breach of trust and disregard for worker well-being. | medium |
| 04 | Cost-cutting in cybersecurity driven by profit motives directly harmed the individuals contributing to the company’s operations, both past and present employees whose data was compromised. | medium |
Public Health and Safety
Broader risks of compromised data · 5 points
| 01 | Research shows that data security incidents at service providers have been linked to deterioration in timeliness of care and patient outcomes, and in some cases an increase in death rates, demonstrating the life-altering consequences of data breaches. | high |
| 02 | Criminals can use stolen names and Social Security numbers to fraudulently obtain medical services in a victim’s name, leading to incorrect medical records that could have dire consequences for future legitimate medical treatment. | high |
| 03 | Data thieves can give false information to police during an arrest using a victim’s identity, potentially resulting in arrest warrants being issued in an innocent victim’s name, threatening personal liberty and public safety. | high |
| 04 | The stress and anxiety from the constant threat of identity theft takes a significant toll on victims’ mental and physical health, forcing them to live with ongoing fear about the potential misuse of their most private information. | medium |
| 05 | Victims must vigilantly monitor their accounts for many years, living with the anxiety that their private information may be disclosed and used against them, depriving them of any right to privacy. | medium |
Community Impact
Nearly 140,000 lives affected · 5 points
| 01 | The data breach created an unwilling community of approximately 139,493 individuals bound together by the compromise of their most sensitive personal information, all facing a present and substantially increased risk of fraud and identity theft. | high |
| 02 | The sheer scale of this breach means nearly 140,000 individuals must now live with heightened vigilance and stress monitoring their financial and personal lives for signs of misuse, representing a significant societal cost from the alleged failures of a single corporation. | high |
| 03 | The considerable time lag between when data is stolen and when it is used for malicious purposes means the impact on this community is not a fleeting event but a prolonged period of uncertainty and risk that can last years. | high |
| 04 | Each affected person now faces risks including criminals opening new financial accounts in their names, taking out loans, using their names to obtain medical services, obtaining licenses with false photos, or filing fraudulent tax returns. | medium |
| 05 | This collective burden of monitoring, mitigation, and anxiety represents a massive transfer of harm from corporate negligence onto individual victims who must bear the consequences of Fortra’s alleged security failures. | medium |
The PR Machine
Limited remedies after the breach · 6 points
| 01 | Fortra issued a Notice of Data Breach to affected individuals on or around February 28, 2023, admitting the breach was caused at least in part by vulnerabilities located in its software. | medium |
| 02 | The company offered merely complimentary fraud and identity monitoring services for up to twelve months, which does nothing to compensate victims for damages incurred and time spent dealing with the breach. | high |
| 03 | The limited twelve-month duration of monitoring is inadequate because stolen Social Security numbers can be exploited by criminals for many years into the future, leaving victims exposed after the monitoring expires. | high |
| 04 | Fortra’s response follows a standard corporate playbook: acknowledge the incident as required by law, frame it as an external attack exploiting a vulnerability, and offer limited third-party mitigation services to manage reputational damage and limit liability. | medium |
| 05 | The notice stated Fortra has no indication that information was subject to actual or attempted misuse, attempting to minimize the severity of the breach despite victims facing years of potential identity theft risk. | medium |
| 06 | To date, Fortra has done nothing to provide victims with relief for the damages they have suffered beyond the inadequate twelve-month monitoring offer, refusing to fully address the long-term harm and anxieties faced by those whose data was permanently compromised. | medium |
Wealth Disparity
Data value vs. protection costs · 6 points
| 01 | Private information is extremely valuable property with worth demonstrated by the big data economy and severe penalties for cyber theft, yet Fortra allegedly undervalued the security of the vast amounts of personal data it collected. | high |
| 02 | The cost of implementing robust, state-of-the-art cybersecurity measures is substantial, and in a system prioritizing short-term gains and shareholder value, companies face implicit incentives to minimize such operational costs. | high |
| 03 | Fortra’s alleged inadequate cybersecurity measures and failure to comply with industry standards suggest the company made choices that left nearly 140,000 individuals’ data vulnerable, potentially to save on security expenses. | high |
| 04 | The enormous profit derived from data collection and processing is not matched by willingness to bear the full costs of ethical and secure data stewardship, shifting the economic burden of breaches largely onto individual victims. | high |
| 05 | Corporations may view breach repercussions like fines, legal costs, and reputational damage as calculable business risks potentially less than sustained comprehensive security investments, treating penalties as a cost of doing business. | medium |
| 06 | Personally identifiable information that companies obtain at little cost has quantifiable value rapidly reaching levels comparable to traditional financial assets, yet investment in protecting that data often lags far behind its market value. | medium |
Exploiting Delay
How time compounds the harm · 4 points
| 01 | Stolen data may be held for up to a year or more before being used to commit identity theft, and fraudulent use of that information may continue for years, meaning victims remain at prolonged risk with no clear endpoint. | high |
| 02 | A gap existed between Fortra learning of a vulnerability on January 29, 2023, confirming unauthorized access by February 3, determining Social Security numbers were involved by February 7, and victims receiving notice around February 28, preventing them from taking immediate protective measures. | medium |
| 03 | Any undue delay in notifying affected individuals after discovering a breach prevents victims from taking timely protective steps to mitigate damage and secure their accounts before criminals can exploit the stolen data. | medium |
| 04 | The inherent lag between data theft and its malicious use means victims face years of uncertainty and risk, during which criminals can strategically time their attacks when victims may have let down their guard. | medium |
Corporate Accountability Failures
Insufficient deterrents · 6 points
| 01 | When a company marketing itself as a Cybersecurity Ally allegedly maintains private information including nearly 140,000 Social Security numbers in a reckless and negligent manner, it raises serious questions about the effectiveness of existing deterrents and oversight. | high |
| 02 | Fortra’s offer of only twelve months of monitoring is inadequate compensation for damages and ongoing risks, reflecting a system where penalties for data breaches may not be severe enough to compel corporations to make necessary upfront investments in robust security. | high |
| 03 | The cost of a settlement or litigated penalty might be treated by corporations as a cost of doing business, potentially less than the expense of comprehensive ongoing security upgrades and diligent oversight. | high |
| 04 | The lawsuit seeks injunctive relief including improvements to data security systems, future annual audits, and adequate credit monitoring funded by Fortra, highlighting the need for proactive changes to prevent future harm rather than merely reacting after breaches occur. | medium |
| 05 | Penalties not coupled with significant victim-focused compensation and mandated systemic reforms may allow companies to view security spending as optional rather than treating protection of private information as a non-negotiable ethical and operational imperative. | medium |
| 06 | The lawsuit aims to make consequences of alleged negligence more significant, fostering a corporate environment where data protection is prioritized as a fundamental responsibility, not just a budget line item to be minimized. | medium |
The Bottom Line
System working as designed · 8 points
| 01 | The alleged breach at Fortra can be viewed not as a failure but as a predictable outcome of a system that structurally prioritizes profit over comprehensive data protection, making such breaches a foreseeable feature rather than an aberration. | high |
| 02 | When a cybersecurity solutions provider becomes the site of a major breach due to alleged inadequate measures and software vulnerabilities, it reveals a profound misalignment between marketed services and actual practices. | high |
| 03 | If robust data security is perceived as a cost center that does not directly generate revenue, the incentive in a profit-driven system is to invest the minimum deemed necessary or even less if oversight is weak. | high |
| 04 | Approximately 139,493 individuals now face the specter of identity theft, financial fraud, and enduring anxiety because their names and Social Security numbers are in the hands of criminals due to alleged corporate negligence. | high |
| 05 | The case highlights a critical tension in modern economies between the immense value corporations derive from personal data versus the often-underestimated investment required to secure it against increasingly sophisticated threats. | high |
| 06 | When profit motives lead to alleged negligence in data protection, the consequences are borne not by the boardroom but by ordinary people who must navigate the complex process of safeguarding their identities and finances. | high |
| 07 | The lawsuit seeks to shift the burden back onto the corporation, demanding compensation and tangible security improvements, serving as a testament to the ongoing struggle to ensure privacy rights are not left behind in the pursuit of corporate growth. | medium |
| 08 | The resulting harm of identity theft risks, financial losses, and loss of privacy is externalized onto victims rather than borne by the company that allegedly failed to protect their data. | medium |
Timeline of Events
January 29, 2023
Fortra experienced a cyber incident and learned of a vulnerability in their software
January 30-31, 2023
Unauthorized third party had access to files stored within Fortra’s GoAnywhere site
February 3, 2023
Fortra notified Hatch Bank that its files on GoAnywhere were subject to unauthorized access
February 7, 2023
Fortra determined that impacted information included names and Social Security numbers
February 28, 2023
Plaintiff Valerie Anderson received Notice of Data Breach from Fortra
March 6, 2023
Class Action Complaint filed against Fortra LLC in US District Court for District of Minnesota
Direct Quotes from the Legal Record
QUOTE 1
Fortra admits software vulnerabilities caused breach
allegations
“On January 29, 2023, [Defendant] experienced a cyber incident when they learned of a vulnerability located in their software.”
💡 The company’s own notice admits the breach resulted from flaws in its own systems, not just external attacks.
QUOTE 2
Unauthorized access to sensitive files confirmed
allegations
“between January 30 and January 31, 2023, someone without authorization had access to certain files stored within [Defendant’s] GoAnywhere site.”
💡 Hackers had direct access to files containing private customer and employee information for at least two days.
QUOTE 3
Social Security numbers were compromised
allegations
“On February 7, 2023, [Defendant] determined the information may have been impacted by this incident includes [Plaintiff’s] name and Social Security number.”
💡 The most sensitive form of personal identification was exposed, creating maximum risk for identity theft.
QUOTE 4
Fortra admits breach was caused by its own vulnerabilities
allegations
“Through its Notice of Data Breach, Defendant admits that the Data Breach was caused, at least in part, due to vulnerability[ies] located in [its] software.”
💡 The company acknowledges the breach resulted from its own security failures, not unforeseeable external factors.
QUOTE 5
Private information maintained recklessly
profit
“Defendant maintained the Private Information in a reckless and negligent manner. In particular, the Private Information was maintained on Defendant’s computer system and network in a condition vulnerable to cyberattacks.”
💡 The lawsuit alleges Fortra knowingly left sensitive data in an insecure state despite its responsibility to protect it.
QUOTE 6
Breach mechanism was a known risk to Fortra
profit
“Upon information and belief, the mechanism of the cyberattack and potential for improper disclosure of Plaintiff’s and Class Members’ Private Information was a known risk to Defendant, and thus Defendant was on notice that failing to take steps necessary to secure the Private Information from those risks left that property in a dangerous condition.”
💡 Fortra was aware of these risks but chose not to invest sufficiently in prevention.
QUOTE 7
Stolen data may be used for years
economic
“law enforcement officials told us that in some cases, stolen data may be held for up to a year or more before being used to commit identity theft. Further, once stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years.”
💡 Victims face years of risk, not just immediate harm, making short-term monitoring inadequate.
QUOTE 8
Private information is extremely valuable
wealth
“PII, which companies obtain at little cost, has quantifiable value that is rapidly reaching a level comparable to the value of traditional financial assets.”
💡 The data Fortra failed to protect has immense economic value that companies profit from without investing proportionally in security.
QUOTE 9
FTC treats inadequate security as unfair practice
regulatory
“The FTC has brought enforcement actions against businesses for failing to adequately and reasonably protect customer data, treating the failure to employ reasonable and appropriate measures to protect against unauthorized access to confidential consumer data as an unfair act or practice prohibited by Section 5 of the Federal Trade Commission Act.”
💡 Federal regulators have established that inadequate data security is not just negligence but an unfair business practice.
QUOTE 10
Fortra failed to implement basic security practices
regulatory
“Defendant failed to properly implement basic data security practices.”
💡 The company did not even meet minimum standards for protecting sensitive information.
QUOTE 11
Victims must monitor accounts for years
economic
“Plaintiff and Class Members must now and in the future closely monitor their financial accounts to guard against identity theft.”
💡 The breach creates an ongoing burden of vigilance and anxiety that victims must bear indefinitely.
QUOTE 12
Obtaining new Social Security number is difficult and ineffective
economic
“An individual cannot obtain a new Social Security number without significant paperwork and evidence of actual misuse. Even then, a new Social Security number may not be effective, as [t]he credit bureaus and banks are able to link the new number very quickly to the old number, so all of that old bad information is quickly inherited into the new Social Security number.”
💡 Once a Social Security number is compromised, victims have no effective remedy to fully protect themselves.
QUOTE 13
Fortra offers inadequate remedy
pr_machine
“Defendant has merely offered Plaintiff and Class Members complimentary fraud and identity monitoring services for up to twelve (12) months, but this does nothing to compensate them for damages incurred and time spent dealing with the Data Breach.”
💡 The company’s response provides minimal help while avoiding compensation for actual harms and long-term risks.
QUOTE 14
Employee data also compromised
workers
“Information compromised in the Data Breach includes Defendant’s customers’ and (current and former) employees’ name and Social Security number.”
💡 The breach harmed not just customers but also Fortra’s own workforce, who had no choice but to provide this data.
QUOTE 15
Approximately 140,000 people affected
community
“On information and belief, the investigation revealed that approximately 139,493 individuals were victims of the Data Breach.”
💡 The massive scale of this breach shows the widespread harm from a single company’s alleged security failures.
Frequently Asked Questions
What information was stolen in the Fortra data breach?
The breach exposed names and Social Security numbers of approximately 139,493 customers and employees. This combination of information is particularly dangerous because it gives criminals the tools they need to steal identities, open fraudulent accounts, and commit various types of financial fraud.
When did the Fortra data breach happen?
Unauthorized parties accessed Fortra’s systems between January 30-31, 2023. Fortra discovered a vulnerability in its software on January 29, 2023, but did not notify victims until around February 28, 2023, nearly a month after the breach occurred.
How did hackers access the data?
According to Fortra’s own notice, the breach was caused at least in part by vulnerabilities located in the company’s software, specifically in its GoAnywhere site where customer and employee files were stored. The lawsuit alleges these vulnerabilities existed because Fortra failed to implement basic security measures.
What can I do if my data was exposed in this breach?
If you received a notice from Fortra, immediately place a fraud alert on your credit reports with all three major credit bureaus. Consider a credit freeze to prevent new accounts from being opened in your name. Monitor your financial accounts closely for unauthorized activity. File your taxes early to prevent fraudulent tax returns. Keep detailed records of any time and money spent addressing the breach, as these may be recoverable damages. Consider joining the class action lawsuit if you were affected.
Why did it take Fortra so long to notify victims?
Fortra discovered the vulnerability on January 29, 2023, confirmed unauthorized access occurred between January 30-31, and determined Social Security numbers were involved by February 7, but did not notify victims until around February 28. This delay prevented victims from taking immediate protective steps during the critical period when their data was most vulnerable to misuse.
Is the 12 months of credit monitoring Fortra offered enough protection?
No. The lawsuit argues that 12 months is grossly inadequate because stolen Social Security numbers can be exploited by criminals for 7 years or more. Once your Social Security number is compromised, it remains at risk indefinitely, and obtaining a new number is extremely difficult and often ineffective.
What security failures allowed this breach to happen?
The lawsuit alleges Fortra failed to implement basic security practices including encrypting stored data, using multi-factor authentication, properly monitoring systems for intrusions, limiting access to sensitive data, training employees on security, and maintaining adequate email security. These failures violated both FTC guidelines and industry standards.
How can my Social Security number be misused by criminals?
Criminals can use your name and Social Security number to open new credit cards and bank accounts, take out loans, file fraudulent tax returns, obtain medical services, apply for government benefits, get driver’s licenses with your information but someone else’s photo, rent housing, apply for jobs, or give false information to police during arrests.
What is the black market value of the stolen information?
According to the lawsuit, personally identifiable healthcare information can sell for as much as 363 dollars per record on the black market, more than 10 times the value of stolen credit card information. This high value makes such data extremely attractive to criminals and explains why they target it.
Were Fortra employees also affected by this breach?
Yes. The lawsuit states that the compromised data included information belonging to current and former employees, not just customers. This means Fortra’s own workforce, who provided their Social Security numbers as a condition of employment, are also victims of the company’s alleged security failures.
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
