Clorox Security Breach Linked to Group Behind Casino Hacks

A notorious group of hackers blamed for recent breaches on major casino companies is also suspected of being behind a recent cyberattack against Clorox Co. that has led to a nationwide shortage of its cleaning products.

(Bloomberg) — A notorious group of hackers blamed for recent breaches on major casino companies is also suspected of being behind a recent cyberattack against Clorox Co. that has led to a nationwide shortage of its cleaning products.

Officials suspect that “Scattered Spider” is responsible for a breach that Clorox first disclosed in August, according to four people familiar with the situation, who asked not to be identified because the information isn’t public. The same group, known for its so-called social engineering tactics, was tied to attacks on Caesars Entertainment Inc. and MGM Resorts International in recent weeks, Bloomberg News previously reported.  

Clorox said Wednesday that the attack significantly reduced sales and profit in the quarter ended in September and continues to affect operations. 

Scattered Spider hackers specialize in targeting call centers and IT help desks, impersonating employees to trick support staff into coughing up information to gain access to accounts. The fallout from their recent attacks has been profound. 

Read More: Casino Hackers Use Low-Tech Tricks to Exploit Corporate Targets

At MGM properties, guests couldn’t charge purchases to their rooms, slot machines were shut down and reservation websites weren’t working. The impact on Clorox was arguably much worse.

The company didn’t respond to requests for comment. 

However, in a statement on Wednesday, Clorox said fiscal first-quarter net sales will decrease by as much as 28% from a year ago because of the cyberattack, while organic sales — which strip out currency changes, acquisitions and divestitures — are expected to fall as much as 26%. The company had previously forecast organic sales increasing by mid-single digits. In addition, Clorox expects gross margin to be down from the year-ago quarter instead of rising as it had previously thought.

Clorox now sees an adjusted loss of as much as 40 cents a share “as the impact from the cybersecurity attack more than offset the benefits of pricing, cost savings and supply-chain optimization.” Analysts, on average, anticipated profit of $1.37 a share before the cyberattack was announced.

“Based on its current assessment of the situation, the company expects to experience ongoing, but lessening, operational impacts in the second quarter as it makes progress in returning to normalized operations,” according to the statement. “Clorox is in the process of assessing the impact of the cyberattack on fiscal year 2024 and beyond.”

On Sept. 29, Clorox indicated that it was still working to recover from the disruption. “We are ramping up production and working to restock trade inventories,” the company said in a statement. “We are focusing on maximizing shipments and restocking trade inventories.”

The company previously disclosed that the attack damaged its information technology systems and caused widespread disruptions in operations. It came at a time when Clorox was already going through an internal restructuring and trying to figure out a path forward following a big sales slump in disinfectants as the pandemic waned. All of Clorox’s US facilities were affected by the cyberattack, and factories remained open despite halting production at some. Employees focused on cleaning, maintenance and training.

Read More: Clorox Hack Opens Door For Competitors to Grab Market Share

While production is ramping up now, the company hasn’t provided an estimate as to how long it may take to restore operations to normal. Clorox is meanwhile at risk of ceding market share to rivals as outages of its products — including cat litter, Hidden Valley salad dressing and Pine-Sol — show up across US retailers. Through Tuesday’s close, Clorox’s shares were off about 17% since the company announced the breach.

Still, many details of the attack remain unknown. For instance, it isn’t yet clear whether the hackers deployed ransomware, a type of malicious software that encrypts files, nor is it clear if the hacking group used social engineering to gain a foothold in Clorox’s network. Clorox said it’s working with the FBI and the investigation is progressing. 

Scattered Spider has been known to work with a ransomware gang called ALPHV. In ransomware attacks, hackers demand payment in exchange for a key that unlocks the victim’s files.

Scattered Spider is believed to be comprised of five to six core members, with their ages ranging from 19 to 25 years, according to three of the people familiar with the situation. The group is believed to be operating in the US and UK and is actively being investigated by the FBI, the people said.

 

(Updates with Clorox financial information starting in fifth paragraph.)

More stories like this are available on bloomberg.com

©2023 Bloomberg L.P.