Clorox Co. on Oct. 5 announced advance financial information for the first quarter of 2024, and among the ramifications of the serious cyberattack the company suffered in August: Net sales are expected to decrease between $487 million and $593 million and the company predicted a 23% to 28% decline in sales from projections released at the end of its Q4 2023.
The release predicted "mid-single digit" increases from Q4's $2 billion in net sales; a 5% increase would have suggested a $2.1 billion quarter. Clorox expects operational impacts from the cyberattack to continue into the second quarter, though the majority of order processing operations have returned to automated processes. The company continues to assess impacts of the attack on the remainder of fiscal year 2024.
The days of manufacturers discretely cleaning up from the damage of successful cyberattacks and their financial ramifications are over, and shareholders are paying attention.
Clorox on Aug. 14 disclosed via a U.S. Securities and Exchange Commission filing that the company had “identified unauthorized activity on some of its Information Technology (IT) systems” that was “expected to continue to cause disruption to parts of the Company’s business operations.”
Then, on Sept. 18, Clorox filed another SEC report stating it believed the hack was contained but resulted in slower production rates and “an elevated level of consumer product availability issues.” News of the filing spread widely throughout the media and Clorox’s stock price dropped about 2% between market close on Sept. 18 and market open the following day.
It’s a textbook example of why no company wants to advertise a cybersecurity breach and also suggests why manufacturers are so likely to pay ransomware bounties and make these kinds of problems go away. But Clorox’s disclosures are in keeping with new SEC rules that require disclosure of material cybersecurity incidents within four days of an incident.
“If it weren’t for the new SEC rules, it’s likely that this attack wouldn’t be making headlines right now. The incident was originally disclosed in August, but Clorox is just now disclosing that it will have material impact because of the new rules that went into effect on Sept. 5,” said Chaz Lever, senior director of security research at cybersecurity firm Devo.
“They’re one of the first companies to have to do this, and it’s definitely uncharted territory, which is why Clorox's string of updates and bulletins are drawing attention. Business leaders are watching and wanting to know how this is going to play out because they don't want to find themselves in a potentially similar state of confusion in the future,” Lever added.
Cybersecurity hygiene matters
The Clorox hack may demonstrate the value of heeding cybersecurity experts’ most common recommendations—keep your digital house clean and disinfected. For example, the need to train employees about social engineering, how threat actors might try to trick them into giving up usernames and passwords, mandating minimum acceptable password complexity and changing them at specific intervals.
According to multiple reports, social engineering is one of the most common attack vectors used by threat actors and cyberattacks against manufacturers very often involve ransomware. Both seem to apply to the Clorox breach.
“Clorox’s attack has all the hallmarks of a ransomware attack. This is all part of an ever-growing threat on social engineering combined with ever more evasive and adaptive attack techniques and tactics,” said Mark Guntrip, senior director of cybersecurity strategy for Menlo Security.
“From the information we have, it’s very likely that the same threat actors [the UNC3944 or Roasted 0ktapus groups] behind some of the recent business-disrupting breaches [in the travel industry] might also have had a hand in this incident. If that’s the case, I would imagine that the adversaries used social engineering tactics to gain access to the company’s systems,” said Tyler Farrar, CISO at Exabeam.
“This likely would have either: A, allowed them to promptly deploy ransomware or B, Clorox locking down all systems before the ransomware could spread, resulting in immediate disruption to the business. As a result, the supply chain was disrupted, which leads to backups in manufacturing and shipping,” Farrar added.
Pivotal aspects of cybersecurity hygiene include contingency plans to limit the damage in the event of an IT system compromise and the need for data backups and redundancy to aid in speedy recovery.
“The fact that it will take Clorox more than a month to recover normal operations is not a good sign. It indicates to me that the adversary was able to penetrate the backbone of Clorox operations and impact multiple systems throughout the Clorox environment,” said Avishai Avivi, CISO at cybersecurity firm SafeBreach.
The specific nature of Clorox’s business adds wrinkles to the process of spinning production back up to normal levels.
“What makes this incident special is it involved changes to [GxP] regulated systems that have to be completely shut down and rigorously tested before production can be resumed. Resuming production itself is a very long process and can only begin after the incident has been resolved, the investigation completed, the necessary controls implemented or changed, and the relevant software updates have been written, tested, and deployed,” said Nick Ascoli, founder and CTO at Foretrace.
Hack recovery ongoing
In its Sept. 18 filing, Clorox stated it was repairing damaged infrastructure and bringing systems back online and expected a return to normal automated order processing this week.
“We expect the ramp-up to full production to occur over time but do not yet have an estimate for how long it will take to resume fully normalized operations,” a Clorox representative told IndustryWeek, a sister publication to Smart Industry.
“Recovery periods from ransomware can fluctuate due to various factors such as encryption, forensic investigations and system building. Given that Clorox was still in the midst of its forensic investigation, it might have contributed to a more prolonged financial impact and supply chain disruption,” Farrar noted.
The Clorox hack may serve as an object lesson beyond validating common cybersecurity guidance, indicating how manufacturers need to address successful hacks in the new reporting environment dictated by the Sept. 5 change in reporting guidelines.
Farrar added: “It’s commendable that Clorox disclosed this incident just three days after discovering the breach. Clorox’s transparency is a testament to its strong crisis-management policies and its commitment to learning from the incident. While any organization can become a target of such an attack, how it handles the response will make or break its reputation in the future."