American food giant WK Kellogg Co. has confirmed a data breach affecting Cleo, a third-party-managed file transfer system that was heavily targeted by the Clop ransomware gang.
WK Kellogg employs about 3,280 people and has an annual revenue of about $2.71 billion. Its most popular brands include WK Kellogg’s Frosted Flakes, Corn Flakes, Froot Loops, and Rice Krispies.
According to cyber incident notification letters sent to impacted customers, WK Kellogg learned of the cyber intrusion on February 27, 2025.
The Battle Creek, Michigan-based food manufacturer responded by launching an investigation and contacting Cleo and determined that an unauthorized entity gained access to Cleo-hosted servers on December 7, 2024.
Kellogg confirms file transfer data breach
The U.S. food giant confirmed that the attacker accessed files containing sensitive personal information, including names and Social Security Numbers.
Kellogg used the file transfer system to send employee files to HR providers, suggesting that the data breach affected employees. One Maine and three New Hampshire residents were affected by the file transfer data breach, but the total number of victims remains unknown.
Subsequently, Kellogg is offering 12 months of complimentary credit monitoring and identity theft protection services via Kroll. Victims should also remain vigilant and monitor their financial statements and credit reports for suspicious activity.
They should also consider placing credit freezes to prevent fraudsters from opening new credit lines without authorization.
“Victims of the data breach should ensure that they have locked their credit to avoid illicit accounts being opened in their names, and should be on the lookout for potential signs of identity theft,” said Erich Kron, security awareness advocate at KnowBe4.
The food giant also requires vendors, including the file transfer system developer, Cleo, to apply additional security measures to address the incident.
“WK Kellogg requires vendors, including Cleo, to use appropriate security measures, and we have worked with Cleo to identify the measures it has taken to address this incident,” the company stated.
Meanwhile, Kellogg has yet to attribute the data breach to any cyber gang. However, the Clop ransomware gang listed the food manufacturer on its data leak site alongside other targeted companies. So far, Kellogg has not disclosed if the threat actor has made any ransom demands.
The attacker exploited Cleo’s Harmony, VLTrader, and LexiCom file transfer software vulnerabilities, CVE-2024-50623 and CVE-2024-55956.
The file transfer software developer had issued a security fix for the unlimited uploads and downloads vulnerability CVE-2024-50623 in October 2024 but failed to fully address the issue.
Cleo had also issued a security advisory for the CVE-2024-55956 critical (CVSS v3 9.8) vulnerability that allowed an attacker to import and execute arbitrary Bash or PowerShell commands.
Ransomware gang targeted file transfer vulnerabilities
Besides WK Kellogg, the Clop ransomware gang targeted tens to hundreds of other organizations using the Cleo file transfer vulnerabilities.
Once again, the data breach proves that third-party vendors are an Achilles’ Heel for primary organizations that cannot fully vet their business partners’ cybersecurity practices.
“This incident is a textbook case of a third-party solution breach: A vendor has a vulnerability, it gets exploited, and the customer takes the hit,” lamented Dirk Schrader, VP of Security Research at Netwrix. “The most troubling part, in this case, is the delay. It took 82 days to become aware of a breach that was widely reported, even listed by the Cybersecurity & Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog as early as December 13, 2024.”
However, in its previous SEC security filing, WK Kellogg claims it “employs a variety of processes to address cybersecurity threats related to third-party technology and services, including privacy, solution and vendor risk assessments, imposition of contractual obligations, and performance monitoring.”
Nonetheless, third-party zero-day vulnerabilities are difficult to predict due to the lack of visibility into the vendor’s code and software development practices. Many third-party developers also fail to list their software bill of materials (SOBM), adding another layer of obscurity for primary organizations.
“A strong cybersecurity posture starts with knowing what you have. To prepare for opposing third-party-related cyber threats, organizations need an up-to-date, monitored inventory of all software, services, and systems. This could be achieved with automated asset discovery tools and continuous monitoring solutions that track changes and alert potential vulnerabilities,” concluded Schrader.
