Close up of hand using calculator showing data breach cost

2023 Data Breach Cost to Clorox and Johnson Controls Reaches Nearly $76 Million

Recent Securities and Exchange Commission (SEC) filings reveal that Clorox and Johnson Controls paid a data breach cost of nearly $76 million combined in 2023, mostly stemming from a cyber attack reported in August of last year. This follows a November 2023 earnings report that noted a 20% decline in net sales due to complications from the attack, or a drop of about $356 million.

Clorox reported a total of $49 million in incremental expenses related to the attack through the end of 2023, with Johnson Controls reporting data breach costs of nearly $27 million. This money went to remediation costs such as third party contracting, as well as added operating costs due to disruptions.

Data breach cost driven by production outages, business interruption

Clorox said that it expects to have some further expenses in the coming months, but that most of the data breach cost has been covered at this point. The company said that in addition to bringing in recovery and forensics experts over the past few months, it also had some extra spend related to working around business interruption issues caused by the attack. CEO and chair Linda Rendle has said that second quarter results are strong on faster-than-expected resupply of retailer inventories and more resources available for merchandising.

Johnson Controls, which had only about half as much of a data breach cost, foresees similar ongoing but reduced spending on remediation across the first half of 2024. The company said that disruption to its billing systems was particularly acute, but that a substantial portion of its expenditure will be recovered via insurance claims.

Both companies suffered ransomware attacks, but they came from two different sources. Clorox is thought to have been hit by Scattered Spider, as part of its mid-late 2023 spree of attacks that included MGM and Caesars. Johnson Controls is thought to have been hit by Dark Angels, suspected to be an offshoot of the notorious Ragnar Locker group that was taken down by an international operation in October 2023. That group claimed to have stolen 27 TB of data and reportedly demanded a $51 million ransom for decryption and data recovery, which was rebuffed. The Clorox attack forced the company to shut down an assortment of production systems in August of last year, leading to temporary shortages of some of its products on retail shelves.

Callie Guenther, Senior Manager of Cyber Threat Research at Critical Start, notes that the SEC filings from the two companies are unusually transparent and detailed about the data breach costs, though not all of this detail is strictly necessary under the law: “The incidents involving Clorox and Johnson Controls highlight significant operational disruptions and financial losses due to cyber-related incidents, emphasizing the rising costs and complexities associated with managing and mitigating such threats … The requirement for companies to report significant cyber incidents to the SEC is part of an effort to increase transparency and provide stakeholders with information about material risks to the company. While the new SEC rule on cybersecurity risk governance, proposed in March 2022, aims to standardize disclosures related to cybersecurity risk management, strategy, and governance, it is unclear if these specific filings by Clorox and Johnson Controls were directly in response to this rule, especially given the timing of the attacks. However, the trend towards more frequent and detailed disclosures could be influenced by regulatory expectations and the increasing recognition of cybersecurity incidents as material risks that can impact financial performance and operational continuity. The transparency provided by such filings serves multiple stakeholders. For investors and shareholders, it offers a clearer picture of the financial and operational health of a company, including potential vulnerabilities and the costs associated with managing cyber incidents. For the broader industry, it serves as a valuable data point on the nature of cyber threats and the financial implications of such incidents, helping other companies to better prepare and allocate resources towards their cybersecurity efforts. Comparatively, the level of detail and transparency in these filings since the start of the year seems to be increasing, reflecting a broader shift towards more openness about cybersecurity incidents.”

“This trend is likely driven by regulatory pressures, shareholder demands, and a growing acknowledgment within the corporate sector of the importance of cybersecurity as a critical component of risk management. Overall, these incidents and their disclosures through regulatory filings underscore the pervasive threat of cyberattacks across industries and the need for comprehensive cybersecurity strategies that include not just technological defenses, but also employee training, incident response planning, and continuous monitoring and updating of security protocols to adapt to the evolving threat landscape,” added Guenther.

John Bambenek, President at Bambenek Consulting, additionally notes that some marketing on Clorox’s part may be going on: “SEC reports have only one target constituency: potential and actual shareholders. Clorox had to write some big checks and that’s relevant to their financial reports that investors rely on to make decisions. This particular filing is trying to paint their response to the attack in August as a success story that ultimately led to a 16% increase in sales. Usually these kinds of statements are more neutral.”

Ransomware remains potent and expensive as criminals target smaller businesses

Recent research by IBM finds that data breach costs are trending upward, presently sitting at an average of $4.45 million. That number varies greatly by country, however, with the United States leading the pack at an average cost of $9.48 million per breach. Detection and escalation tends to be the largest share of data breach cost, at a global average of $1.58 million. Post-breach response and recovery is not far off at $1.2 million.

During the ransomware resurgence of the past few years, the trend had been for the most dangerous gangs to target larger enterprises for the most part. That was predicated on the assumption that the company’s insurance could be counted on to pay. Over the past couple of years, that has become less and less true as the cyber insurance market (particularly ransomware coverage) has drastically tightened. This has, in turn, sent bigger ransomware players after smaller targets that are less likely to have extensive backups and be prepared to recover from a sudden attack. Attackers ask smaller sums from these smaller businesses, but attempt to hit more as they tend to be ill-prepared and have smaller (or even non-existent) cybersecurity defense teams.

Some research indicates that data breach costs thus may be highest for small businesses, which are also less able to absorb the damage and continue to function normally. That does not mean that cyber criminal groups are having extreme trouble getting into large enterprise network, as Scattered Spider spent the back half of 2023 demonstrating; it is simply that smaller businesses have less capacity to route around damage and quickly restore from backups as Clorox did in response to their attack.

Darren Guccione, CEO and Co-Founder at Keeper Security, adds: “The 2022 US Cybersecurity Census shows the average U.S. business experiences 42 cyberattacks per year, three of them successful – and IT and security executives expect that number to continue growing each year. Further, our most recent survey of more than 800 IT security leaders around the globe found the vast majority (95%) believe cyberattacks are more sophisticated than they have ever been. Because cybercriminals target every-sized organization across all major industries, cybersecurity prioritization and investment before a cybercriminal strikes is critical for organizations of all sizes.

Fergal Lyons, Cybersecurity Evangelist at Centripetal, notes that ransomware defense and response will continue to be a priority for organizations for at least the near future: “Cybercriminals continue to find ransomware to be a highly lucrative industry, as they capitalize on vulnerabilities and exploit careless employees. The methods employed are diverse, tailored to the specific companies they target. Thus, it is imperative that all businesses take extra precautions to avoid becoming the next target. Utilizing already available threat intelligence on how and where these ransomware groups operate can thwart impending attacks and avert data breaches. Adopting a proactive stance against potential threats is crucial, as any reactive approach will invariably be too late and likely result in irreversible harm. In fact, a strong, preventative cybersecurity posture is much more cost effective than having to dole out a ‘cure’ in the fallout of an attack.”