Schedule a Demo
Home/Blog/Three Centralized MFTs. Same Crew. 8,000 Organizations.
Architecture · Banking

Three MFTs. Same Crew. 8,000 Orgs. The Lesson Banks Keep Missing.

Between December 2020 and May 2023, the same ransomware crew breached three centralized managed-file-transfer products. The CVE differed each time. The architecture didn't. What community-bank IT directors should take from this in 2026.

Author: Karl Falk, CEO, Botdoc
Published:
Reading time: ~10 min

If you ask a community-bank CIO in 2026 what they spent the most time worrying about over the past three years, "ransomware" is probably the answer. If you ask which specific product class drove the most consequential breaches in financial services, the honest answer is more uncomfortable. It was the product class designed to make file transfer safer.

Between December 2020 and May 2023, the ransomware crew known as Cl0p (sometimes stylized CL0P or Clop) executed three back-to-back attacks against centralized managed-file-transfer products. Each attack used a different zero-day vulnerability. Each attack compromised the customer base of a different vendor. And each attack succeeded for the same architectural reason.

This is a post about that architectural reason. It is not a post about Cl0p, who they are, or what their next move is. There is plenty of forensic and law-enforcement reporting on that topic; CISA's joint advisory AA23-158A is a good public starting point. This is a post about why centralized file transfer kept getting hit, what the pattern means for community banks and credit unions still running these products in 2026, and what the alternative architecture actually looks like.

The 30-month timeline

December 2020 , Accellion FTA

Four chained zero-days. The vendor's last release. Hundreds of organizations breached.

In December 2020, attackers later attributed to UNC2546 and UNC2582 , financially motivated groups whose extortion activity overlapped with Cl0p , exploited a chain of four vulnerabilities in Accellion's File Transfer Appliance, a 20-year-old product the vendor had already announced end-of-life. The four CVEs: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, and CVE-2021-27104. The chain delivered remote code execution. Once inside the appliance, the attackers exfiltrated customer files in bulk and posted samples to a Cl0p-branded leak site.

Mandiant's February 2021 incident analysis documented the attack chain. CISA Advisory AA21-055A tracked the affected-customer disclosures as they trickled out: Kroger, Bombardier, Singtel, the Reserve Bank of New Zealand, the Australian Securities and Investments Commission, the law firms Jones Day and Goodwin Procter, several U.S. state agencies, and a substantial set of universities. Public victim lists eventually exceeded 100 named organizations. Accellion rebranded the company to Kiteworks later in 2021. The FTA product was retired.

January 2023 , Fortra GoAnywhere MFT

One pre-authentication command-injection vulnerability. 130+ disclosures in 10 days.

Two years later, on January 30, 2023, Fortra (then HelpSystems) issued a private advisory to GoAnywhere MFT customers warning of a zero-day in the product's administrative console. The vulnerability, CVE-2023-0669, was a pre-authentication command injection. CVSS scored it 7.2; in practice it was full RCE on any internet-exposed admin console. CISA added it to the Known Exploited Vulnerabilities Catalog on February 2.

Cl0p claimed responsibility within days. Bleeping Computer reported Cl0p's own claim of 130+ organizations breached in a 10-day window. Public disclosures over the following months included Hatch Bank, Community Health Systems (impacting roughly one million patients), Hitachi Energy, the City of Toronto, Procter & Gamble, Saks Fifth Avenue, and Pluralsight. Multiple disclosures came through SEC 8-K filings; Community Health Systems' 8-K from February 2023 was an early canonical example.

May 2023 , Progress MOVEit Transfer

One SQL injection in the web UI. 2,700+ U.S. organizations. 95+ million individuals.

On May 31, 2023, Progress Software issued a security advisory for MOVEit Transfer disclosing CVE-2023-34362, a SQL injection in the product's web interface that allowed unauthenticated attackers to escalate to full database access and arbitrary file read. By the time the advisory was public, Cl0p had already been exploiting the vulnerability for at least 18 days, conducting wide-scale data theft against MOVEit-Transfer-running institutions on the public internet.

CISA's joint advisory AA23-158A with the FBI followed on June 7, 2023. By the time the dust settled, third-party trackers like KonBriefing and Emsisoft had logged more than 2,700 confirmed-victim U.S. organizations and roughly 95 million affected individuals. The list reads like a financial-services directory: TIAA, Putnam Investments, Pension Benefit Information, the Teachers Insurance and Annuity Association, Charles Schwab affiliates, multiple state pension funds, and dozens of regional banks and credit unions disclosed exposure through their service providers, even when the bank itself did not run MOVEit directly.

The CVEs were different. The architecture wasn't.

It is possible to read the three breaches as three unrelated security failures. Different vulnerabilities. Different products. Different vendors. A clever incident-response writeup will tell you the technical fix in each case: patch the chain, restrict the admin console, sanitize the SQL parameter. All three are correct. None of them addresses the actual lesson.

The actual lesson is that all three products had the same architecture, and that architecture is what made each of them an 8,000-organization breach instead of a single-customer breach.

Centralized managed file transfer works like this: customer A and customer B both connect to a vendor-operated (or customer-operated, but vendor-architected) server. Files move through that server. Files often sit on that server, encrypted at rest under the server's keys. The server has authentication, audit logging, encryption-in-transit, and (if the customer pays for it) encryption-at-rest. By every checkbox in the FFIEC IT Examination Handbook, this is a defensible architecture.

Until someone gets root on the server. Then every file in transit, every file at rest, every authentication credential, every audit log, and every encryption key custody record becomes the attacker's. Not for one customer. For every customer connected to that server.

This is what security architects call a high-value target: a single point at which a successful compromise yields outsized return relative to the effort to compromise it. The phrase is older than ransomware; it predates Cl0p by decades. The Accellion FTA, the GoAnywhere admin console, and the MOVEit Transfer web UI were each a high-value target by definition. A ransomware crew motivated by extortion economics correctly identified them as such and went to work.

The vendors did not architect these products to fail. They architected them to do exactly what their customers asked: receive files, hold files, apply encryption to files at rest, and forward files on. The architecture that supports those features is the architecture that creates the high-value target. You cannot have one without the other if the design is centralized.

Why financial services felt this most acutely

Healthcare, manufacturing, and federal-government victims got more press from the Cl0p campaigns. Financial services got the most regulatory exposure. Three reasons.

First, the disclosure timeline. The FTC's amended Safeguards Rule, with the 30-day breach-notification provision effective May 13, 2024, applies to non-bank financial institutions and creates a tighter clock than the SEC's 4-business-day Form 8-K standard for materially significant cyber incidents. Banks that learned of MOVEit exposure through a service provider in 2023 had to map a chain of contractual notification obligations they hadn't war-gamed. NY DFS Part 500 imposes a 72-hour breach-notification clock for state-regulated banks and insurers. Several of the institutions caught in MOVEit's blast radius missed at least one of these clocks.

Second, the named victims. The Pension Benefit Information disclosure alone exposed records for several state retirement systems; CalPERS news release to California members named PBI as the source. Putnam Investments, TIAA, and several Vanguard service-provider relationships disclosed exposure. None of these institutions ran MOVEit themselves. Their data sat on someone else's MOVEit instance. Customer-level breach notifications still had to go out.

Third, the cost framing. IBM's Cost of a Data Breach 2025 report puts the financial-sector average at $5.56 million, with banking specifically at $9.28 million. That is the per-incident average. The aggregate cost of MOVEit-attributable breaches across the financial sector , settlements, class actions, notification, regulatory penalties, customer-support cost, brand harm , is not yet fully known three years on, but credible third-party estimates have put the global aggregate of Cl0p's three campaigns north of $10 billion.

What the FFIEC handbook actually says

The frustrating part of this story for compliance officers and ISOs is that the FFIEC IT Examination Handbook has been clear about transmission security for a long time, and the language is principle-based rather than device-specific. The Information Security booklet requires institutions to "use encryption to protect information in transit" and to "implement controls to manage access to systems handling sensitive customer information." The booklet does not enumerate which products implement that requirement, and it does not distinguish between an architecture in which the data sits on a centralized vendor server and an architecture in which it does not.

An examiner reviewing a bank's MFT deployment in 2022 would have correctly concluded that GoAnywhere was a defensible answer. An examiner reviewing the same deployment in 2024 would have less to work with , not because the regulations changed, but because the threat record changed. Three centralized MFT vendors have now demonstrated, in production, that the architecture creates a single point of mass failure. That is no longer a hypothetical. It is the public record.

The 2024 update to NIST SP 1800-29 began to incorporate this lesson by emphasizing data-flow inventory and least-privilege transmission. The expectation an examiner is likely to bring to the next FFIEC IT exam , informally, before it shows up in the booklet revision , is that institutions can articulate why their document-transport architecture does not create the same kind of high-value target the public record now recognizes as a known failure mode.

What "stateless transport" actually means

The architectural alternative to centralized MFT is sometimes called stateless transport or secure digital transport (SDT). The naming is less important than what it does and does not do.

A stateless transport system encrypts a file at the sender's device (or, in the case of an MFP, at the device's network egress before it touches SMTP). The encrypted container moves over an authenticated, ephemeral session directly to the receiver's intended system of record. The container is not stored at a vendor-operated central server, because there is no vendor-operated central server in the data path. There is a coordination service that handles authentication, routing metadata, and audit logging , but it does not hold the document, the encryption keys, or any customer-readable data. Once the receiver's system of record acknowledges receipt, the container evaporates.

The audit log persists at both endpoints (sender and receiver) and at the coordination service for compliance purposes. The document itself does not. There is no central store to compromise, because there is no central store. The architecture removes the high-value target by removing the asset the target was holding.

This is the architecture Botdoc has been building since 2014 and the architecture SecureMFP applies to multifunction printers in regulated industries. SecureMFP is operated under a clean unqualified SOC 2 Type 2 opinion, GLBA-aligned, FFIEC-aware, FERPA-certified, and PCI- and HIPAA-compliant. The point of the certifications, in the context of the Cl0p discussion, is not the certifications themselves; certifications can be earned by either architecture. The point is that the architecture passes those certifications without creating the high-value target the Cl0p campaigns proved exists in centralized designs.

The five-question test

If you are evaluating any current MFT, "secure email," or document-portal product in your bank's stack, the questions below are the ones the public record now suggests you should be asking. You can ask them of your own IT team for any internally operated product, and you can ask them of any vendor for any vendor-operated product. They are designed to be answerable in writing inside one business day. If they are not, that itself is a finding.

  1. Where do my documents sit between sender and recipient? If the answer involves a vendor-operated server (or a customer-operated server architected by the vendor), the architecture has a high-value target by design. That does not automatically mean the product is unsafe. It does mean the public record now has three case studies of this architecture being compromised at scale.
  2. How long do they sit there? Even 14 days of vendor-side retention is 14 days of exposure. Compare against the 4-business-day SEC 8-K material-incident disclosure clock, the 72-hour NY DFS Part 500 clock, and the 30-day FTC Safeguards clock. A vendor whose retention window exceeds your regulatory disclosure window is a structural mismatch.
  3. Who has the encryption keys? If the vendor controls the keys to data at rest on their server, the vendor , or anyone who compromises the vendor , can read your documents. Customer-managed-key offerings exist; the question is whether you are using them.
  4. What is the disclosure mechanism if the vendor itself is breached? Many MFT contracts written before 2023 specify 30- to 90-day vendor-to-customer breach-notification windows. That timeline does not align with the regulatory clock running on you. A re-papered contract is a worthwhile project; an architecture that does not put you on someone else's clock is a better one.
  5. What does the FFIEC handbook say about your specific transport architecture? Read the relevant section of the Information Security booklet with your transport architecture in mind. The booklet is principle-based. Your architecture is concrete. Map one onto the other in writing. If the mapping requires you to assume risks the booklet does not name explicitly, document the residual-risk acceptance and have the right approver sign it.

What banks are actually doing in 2026

The post-MOVEit response across financial services has not been a wholesale rip-and-replace of MFT. Nobody has the budget for that, and the regulators have not asked for it. The post-MOVEit response has been quieter and more practical: institutions are using vendor renewal cycles to ask the architecture questions they did not ask the first time. They are mapping document workflows that previously got bucketed as "just file transfer" , payroll exports, deal-jacket transmissions, FBAR filings, beneficial-ownership transmissions, audit-firm document exchange , and asking which of those workflows actually require a centralized server in the data path. For most of them, the honest answer is none.

Scan-to-email is one of those workflows. So is the SAR/CTR transmission pipeline that BSA officers run. So is the auditor document exchange your audit firm receives during the mid-cycle review. Each of these is a candidate for a stateless transport. Each of them is currently running on architecture that has Cl0p risk by design.

The finance vertical pillar on this site goes deeper into the FFIEC framework, the four-role buying committee, and the trace-template offer for your IT team to verify scan-to-email exposure on three devices in one afternoon. The auditor page covers the same argument in the language your audit firm and FFIEC examiner will recognize. If you have not yet read the audit-gap framework that paired with this post, the Morgan Stanley $35M case study is the most-shared piece on this blog and a useful companion.

If you are running an MFT product in your stack today, that product is not necessarily the wrong choice. It may be the right choice for your specific workflow. The question worth asking before next year's exam is the architecture question , not the CVE question. Cl0p answered the CVE question three times. The architecture question is yours to answer.

Take this further:

This post is a cluster page under the Finance vertical pillar. For the full bank-buyer overview, the regulatory map, the four-role persona cards, and the trace-template offer for your IT team, start there.

For the audit-firm and examiner version of this argument, see the auditor page.

KF
Written by Karl Falk Founder & CEO, Botdoc. Writes on secure document transport and regulated-industry compliance. Author profile →

Sources

  1. NIST National Vulnerability Database, CVE-2021-27101 / 27102 / 27103 / 27104 (Accellion FTA): nvd.nist.gov/vuln/detail/CVE-2021-27101
  2. Mandiant (Google Cloud), "Accellion FTA Exploited for Data Theft and Extortion," February 22, 2021: cloud.google.com/blog/topics/threat-intelligence/accellion-fta-exploited-for-data-theft-and-extortion
  3. Krebs on Security, "At Accellion: Data Theft via Old Software," February 2021: cisa.gov/news-events/cybersecurity-advisories/aa21-055a
  4. NIST National Vulnerability Database, CVE-2023-0669 (Fortra GoAnywhere MFT): nvd.nist.gov/vuln/detail/CVE-2023-0669
  5. CISA Known Exploited Vulnerabilities Catalog: cisa.gov/known-exploited-vulnerabilities-catalog
  6. Bleeping Computer, "Clop ransomware claims it breached 130 orgs using GoAnywhere zero-day," February 2023: bleepingcomputer.com
  7. Community Health Systems Form 8-K, U.S. Securities and Exchange Commission, February 2023: sec.gov
  8. NIST National Vulnerability Database, CVE-2023-34362 (Progress MOVEit Transfer): nvd.nist.gov/vuln/detail/CVE-2023-34362
  9. CISA Joint Cybersecurity Advisory AA23-158A, "#StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability," June 7, 2023: cisa.gov/news-events/cybersecurity-advisories/aa23-158a
  10. KonBriefing MOVEit victim list (third-party tracker): konbriefing.com/en-topics/cyber-attacks-moveit-list-victims.html
  11. Emsisoft, "Unpacking the MOVEit breach: statistics and analysis," ongoing analysis: emsisoft.com
  12. California Attorney General, sample CalPERS / Pension Benefit Information notification: calpers.ca.gov
  13. FTC Safeguards Rule, 16 CFR Part 314, May 2024 amendments and 30-day breach-notification provision: federalregister.gov
  14. NY DFS Cybersecurity Regulation, 23 NYCRR Part 500: dfs.ny.gov/industry_guidance/cybersecurity
  15. FFIEC IT Examination Handbook, Information Security booklet: ithandbook.ffiec.gov/it-booklets/information-security
  16. NIST SP 1800-29, "Data Confidentiality: Identifying and Protecting Assets Against Data Breaches": nvlpubs.nist.gov
  17. IBM, "Cost of a Data Breach Report 2025": ibm.com/reports/data-breach
  18. SEC Final Rule, "Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure," 17 CFR 229 (Regulation S-K Item 1.05), 4-business-day reporting requirement: sec.gov
  19. SEC, Regulation S-P 2024 amendments, 30-day customer notification provision: sec.gov
More from the blog

Keep reading

#Finance · Audit Gap

The Audit Gap That Cost Morgan Stanley $35M

Why scan-to-email never made the FFIEC IT examination handbook, the four-part structural gap behind it, and what is changing in 2024 to 2026 audit checklists.

9 min readRead →
#Security · CVEs

Five MFP CVEs Every Bank CISO Should Know in 2026

The technical post for the bank or credit union CISO chair. CVE-by-CVE breakdown with attack chains, financial-services context, and primary-source citations.

10 min readRead →
#FFIEC Exam ยท Banking

What FFIEC Examiners Are Flagging on Scan-to-Email in 2026

Five examiner-cycle patterns from the 2026 exam season. None named scan-to-email. All flagged it. The five-minute self-test for community banks and credit unions.

8 min readRead →
Next step

The GLBA + FFIEC scan-to-email self-assessment is launching this week.

25 questions across encryption-in-transit, MFP security, email security, vendor risk, and incident response. Scored against your bank's regulatory profile. Results land in your inbox; we don't post them anywhere.

Get notified when it launches