On August 14, 2023, Clorox disclosed via an SEC filing that the company had “identified unauthorized activity on some of its IT systems” that was “expected to continue to disrupt parts of the Company’s business operations.” The following month, the household brand filed another SEC report, which revealed they believed the hack was contained but resulting in slower production rates and “an elevated level of consumer product availability issues.” Within Clorox’s SEC filing of the attack, the company predicted their fiscal first-quarter net sales will decrease a loss of 23%-28% in net sales as well as a loss of share price ranging from 35-to-75 cents, significant order processing delays, as well as “an elevated level of product outages.” With impacts estimated to go into 2024, Clorox stated that losses “will be material on Q1 financial results.
The cyber attack cost Clorox a total of $356 Million in damages, significant deceleration in order processing, and scarcities of their signature cleaning products on store shelves. The cyberattack damaged part of its IT infrastructure, which led to widespread disruption of its production capabilities leading them to start manually processing orders and resulting in a struggle to meet consumer demand. The Clorox Company brands also include Pine-Sol, Brita, Glad, Burt’s Bees, and more.
According to Security Intelligence, up to 40% of cyber threats are now occurring directly through the supply chain. Even with measures for prevention and a robust response strategy, the threat of social engineering can snowball into significant costs for these conglomerates.
Who’s Responsible?
It’s speculated that the hacking group known as Scattered Spider, also known as Muddled Libra or UNC3944, whose members authorities believe are between just 17 and 22 years old, are the suspects of this attack. Applying the same social engineering tactics seen in several of the popular cyberattacks of the same year, this group of bad actors has succeeded in circumventing the digital infrastructure of several enterprise-level companies. To execute the social engineering attack at this scale, the collective of hackers in question gained access to the internal operations of several major businesses by obtaining the highest level of user privilege within their digital infrastructure – the admin. The success of social engineering cannot be understated, as it’s said to be used in 98% of successful cyber crimes in 2022.
Once the systems have been compromised a ransom is given. A high asking price to restore data and operations back to the conditions prior to the attack. Taking down a company of any size simply by calling and convincing customer support to reset the admin credentials of high-level employees targeted across social platforms and search engines. In the particular case of targeting a manufacturer, a supply chain attack can launch from a compromised system and infiltrate the systems of third-party vendors, creating a web calamity that can compromise entire business relationships. These supply chain attacks target various dependencies to create new vulnerabilities where further cyber attacks can take root.
Targeting over 100 organizations within the last year, these hackers use legitimate remote access tools running legitimate software with endpoints installed. Given their age and background, it’s speculated that the hackers likely began playing online games with marketplaces and communities. Gaining familiarity with cryptocurrency to gain anonymity. Despite extensive familiarity with open-source software and bypassing safeguards, these Gen Z hackers succeed mostly through the fundamental approach of social engineering—unleashing tactics on call centers and IT help desks to access high-level accounts identified and targeted via social platforms such as LinkedIn.
Founder of CyberTech Analytics, Chase Fopiano, a cybersecurity provider that combines the worlds of both law enforcement and information security, explains, “As more companies and employees are focusing on identifying phishing emails and suspicious files, sophisticated hacking groups are realizing it is just as easy to get into a network through social engineering tactics.”
“An advantage to targeting these types of companies is twofold. On one hand, the greater amount of time their systems are unavailable, the higher the loss of money the company will suffer. Consumer-centric companies are seen as a prime target because they more likely will pay a ransom to get their systems back online and operational so they do not continue to suffer financial loss.”
-Chase Fopiano,
Founder of CyberTech Analytics
If there are similarities to the targets of these hackers, they are going after businesses that rely on continuity and maintaining reliability with their associates, partners, vendors, and customers. A data breach can bring down a business like a house of cards by creating product shortages, productivity loss, and forcing businesses to utilize manual operations. A breach can force a business’s operations to go manual, which can have tremendous impacts on many levels of the business like creating product shortages. This is just one way these hackers can hemorrhage money, often leaving experts unable to fully calculate the total loss or even anticipate where the revenue is going. Targeting business continuity empowers hackers with more ransom demands.
The Success of Social Engineering Cyberattacks
Social engineering is becoming more sophisticated with deepfakes, generative AI, and malware-generated content that can use machine learning to adapt to their target. The primary advantage of social engineering is that it targets the human factor of a company’s cybersecurity. It exposes oversights or lack of training on behalf of the company to take advantage of these businesses. It’s plausible that AI can further exacerbate the threat through voice modeling alongside deepfake technologies that can trick not only a security infrastructure but also the Internet of Things.
Impact, Response and Public Perception
Industry experts view the recent attack on Clorox, as well as the news coverage of the subject, as reflective of the new rules adopted by the Securities and Exchange Commission relating to cybersecurity risk management, strategy, governance, and incident disclosure by public companies. Item 1.05 of Form 8-K requires disclosure of any cybersecurity incident determined “to be material and to describe the material aspects of the incident’s nature, scope, and timing, as well as its material impact or reasonably likely material impact on the registrant” within four business days.
Both Item 1.05 of Form 8-K and other rules adopted by the Securities and Exchange Commission will assist in two much-needed advancements. Primarily, it increases the presence of cybersecurity in the boardroom, no longer siloed within the IT department. A recent study by Gartner predicts that by 2026, 70% of boards will include one member with expertise in Cybersecurity. Businesses are inclined to go beyond reactive defense and elect a more prepared approach.
The second advancement is the increase of transparency to the public about recent cyberattacks. Before this rule, businesses were paying the ransom to hackers not only to restore operations and recover data but also to keep the story from going public. Faced with the story getting out alongside the loss of sales and critical operation, the asking price for the hackers can prove significantly lower than the cost of damages once the attacks are ongoing and the company’s function becomes compromised.
According to the 2023 Data Breach Investigations Report by Verizon, ransomware was present in 15.5% of cybercrime incidents included in the study. As mentioned about the actors in question, targeting companies with daily operations, in this case, manufacturers, can create ripple effects that can snowball down the supply chain and into relations with vendors, partners, and ultimately, customers. These inconveniences can add up, and Clorox is determining the impact this attack will have on 2024. Facing the loss of consumer trust, an impact on sales, and complications of business relationships, paying tens of millions to prevent over half a billion in damages would appear as a bargain.
Solutions & Recommendations
It must always be emphasized that in the case of these costly cyberattacks, an ounce of prevention is worth pounds of cure. Training and preparing public and customer-facing staff to be aware of social engineering and other ways that hackers go after the human factor to breach the critical operations of a business is paramount to prevention and making sure these companies don’t go through the same scenarios again.
Furthering the investment in cybersecurity talent and awareness training, AI should also be leveraged as a critical component of this fight. Fighting AI-powered bad actors without leaning into artificial intelligence creates unwanted disadvantages. Experts view AI as a new game piece on a chess board, capable of empowering businesses and bad actors alike. AI levels up awareness and can assist with providing education and training to employees, providing predictive and proactive neutralization measures, creating robust protocols, enhancing account security, and creating advances in detection and defense to stay a step ahead.
Businesses are making greater commitments from leadership towards the direction of their cybersecurity strategies alongside strengthening their practices for identity management, data governance, and prioritization of training and education.
The Clorox cyberattack serves as a testament to the importance of cybersecurity in maintaining business continuity. These attacks have short and long-term consequences that aren’t all fully visible during the initial stages of an investigation. When business continuity collapses, costs climb and consumers are inconvenienced. This shows that the impact of cyberattacks are way more than just missing product from the shelves, but also the earnings decline that’s bound to be discovered down the line.
Want to read up on high-profile cyberattacks that have made headlines? Check out our analysis of the MGM cyberattack.