WK Kellogg, the breakfast cereal company based in Battle Creek, Michigan, confirmed reports that company data was stolen in a late 2024 cyber attack. The vulnerability has been identified as a file transfer software program called Cleo, a third-party platform Kellogg uses for its human resources data.
A single employee had been confirmed as impacted though, for a manufacturer like Kellogg, the implications are certainly more far-reaching. The company filed a data breach notification with the Maine Attorney General’s office that creates a public record of the incident. In this case, it shows that the breach took place in December of 2024, but wasn’t discovered until two months later.
Likewise, Cleo has faced scrutiny over its platform’s involvement in further attacks. These have been pinned on the Clop ransomware gang and are said to have hit several companies over a two month period in late 2024. Cleo had reportedly released a patch in October, intended to target unauthorized file uploads and downloads, which was later deemed ineffective.
According to Erich Kron, security awareness advocate at KnowBe4, “Zero day flaws, such as those that have been exploited by the Clop ransomware group, are extremely difficult to defend against. Because these stolen files are HR-related employee files, the information within them is liable to be very sensitive and could easily lead to identity theft for those affected.”
Notably, Cleo has been implicated in other incidents where data of high profile customers has been compromised, including one reported in April by Hertz. The rental car company confirmed that a threat actor had accessed certain personnel data and more than 3,400 Maine residents were said to have been impacted, but there could be more in other states.
Victims in these data breaches should “should ensure that they have locked their credit to avoid illicit accounts being opened in their names,” said Kron, adding that they should also be on the lookout for potential signs of identity theft.