A cyber attack disclosed by Clorox in mid-August is now expected to negatively impact first quarter results for 2024 due to “widescale disruption” that the company is still struggling to recover from. A recent SEC filing indicates that product shortages through this period should also be expected, though the company did not specify exactly what might be missing from shelves.
Negative impact on first quarter results, product shortages expected as Clorox struggles with cleanup
Clorox released little public information about the August 14 cyber attack, but did indicate that it took certain systems offline temporarily and had to switch to manual processing of at least some of its orders. Clorox has not attributed the attack and no known cyber criminal groups have publicly taken credit as of yet, but the extended downtime points to a ransomware incident similar to the one recently suffered by MGM.
The SEC filing indicates that the company is experiencing an increased rate of “product availability issues” as it continues manually filling some orders. However, the company believes that the cyber attack is contained at this point and is in the recovery phase.
Clorox also anticipates that full automated order processing will be restored the week of September 25, but does not yet know when full operation across the company will be restored.
The SEC filing was triggered due to a belief that there will be a material impact on upcoming first quarter results, however. Clorox said that it will provide a financial update beyond first quarter results after it has better “visibility” into the long-term situation.
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, notes that first quarter results could be even worse if the nature of the attack becomes public: “Clorox doesn’t share what type of attack it is, but it sounds inline with other ransomware attacks. This is one of those ever less rare cases where a cyberattack impacted production in a way that can be felt by consumers. Clorox’s share price is down in the news. What’s missing from the announcement is how it occurred (i.e., social engineering, unpatched software, etc.) and what steps Clorox is taking to make sure the same type of attack doesn’t happen again.”
Details about the potential product shortages also remain thin. The company is most famous for its disinfecting wipes, cleaning sprays and bleach sold under its own name. However, it also owns over a dozen other popular brands including Liquid-Plumr, Pine-Sol, Glad, Brita, Fresh Step and Burt’s Bees. It has even expanded into food with Kingsford charcoal and meat products, and Hidden Valley Ranch dressings. There is some speculation that the hardest-hit areas will be those that were already trying to restock supply after the greatly increased demand of the pandemic period, such as hand wipes and cat litter.
The news about first quarter results has already triggered some market activity, with Clorox trading over 1% lower to start the week.
Little is still known about Clorox cyber attack
Clorox has said that it is continuing to investigate the cyber attack and is working with the FBI, but has said little else other than what was contained in the brief SEC filing about first quarter results and possible product shortages.
The cyber attack is at least a little unusual in that the length of time to restore normal operations would indicate Clorox has opted not to pay a ransom and is rebuilding systems from backups (particularly the news about anticipated product shortages). However, there has been no known claim made to the attack on the dark web or any threats to dump the company’s data, something that usually now accompanies any ransomware incident. Casino giant MGM is a more typical recent example of a company that chose to go down this path, with its full recovery expected to take weeks and various aspects of its business offline in the interim.
It would help to have more details, but US companies are subject to relatively little in terms of breach disclosure requirements unless they are in a CISA-defined critical infrastructure category. What little has been revealed is due to the SEC requiring that incidents that may have a material impact to publicly traded companies be disclosed within a fairly short window, for the sake of investors rather than parties that may have lost their data. This is also the reason we became aware of the recent Caesars Entertainment cyber attack, which was perpetuated by the same group that hit MGM. If the first quarter results were not expected to be impacted or product shortages possible, we likely would know even less than we know now.
Though neither have been confirmed as a factor in the Clorox cyber attack, ransomware attacks appear to be back on the upswing (after something of a post-pandemic lull) and social engineering is an increasingly popular way to initiate them (even more so than scanning for unpatched vulnerabilities). Comparitech tracks 322 confirmed ransomware attacks in the US, a number that is on pace to meet or exceed 2022 totals. Attackers are also increasingly exfiltrating data before locking target systems up, in a likely bid to have some sort of revenue if the victim opts to restore from backups instead of paying. The Clop ransomware group, responsible for the recent string of MOVEit hacks, appears to have simply shifted to data extortion rather than even attempting to fire off ransomware, something that may be more broadly adopted as organizations become increasingly aware of the importance of backups and also struggle to obtain ransomware insurance coverage.
Willy Leichter, VP of Cyware, sees this as a reminder to organizations of all sizes to consider the possibility of financial impacts and product shortages should a cyber attack strike: “The true costs of a breach and lingering business disruption can be much larger than many risk models assume. Maintaining business continuity requires a holistic approach: regular software patches and updates, multifactor authentication, ongoing security training, incident response planning, backups, and actionable threat intelligence. Cybersecurity is complex, and the importance of speed and accuracy cannot be overstated. IT and security teams must be empowered to collaborate so that the right intel gets to the right people to rapidly take the right actions.”