A significant data breach at WK Kellogg Co. has been traced back to vulnerabilities in the Cleo file transfer software. Unauthorized access to sensitive employee data occurred on December 7, 2024. The breach was identified by WK Kellogg on February 27 and reported to the Maine Attorney General’s Office by April 4. The compromised data includes at least one employee’s Social Security number, with the full extent of the data breach still under investigation.
The attackers exploited two critical vulnerabilities in the Cleo software, known as CVE-2024-50623 and CVE-2024-55956. The first vulnerability, poorly patched in October 2024, allowed for unrestricted uploads and downloads. The second, discovered in December, enabled unauthenticated users to execute arbitrary commands, leading to potential malware deployment. Cybersecurity experts believe the notorious Clop ransomware group, known for targeting enterprises using Cleo products, is behind the attack.
During the data breach, WK Kellogg’s personnel files were compromised while being transferred to HR service providers. In response, the company has offered free identity theft protection, including credit monitoring and fraud resolution services through Kroll, to those affected. Cybersecurity expert Erich Kron from KnowBe4 highlighted the significant risks posed by zero-day vulnerabilities and the potential for identity theft from stolen HR files.
The incident underscores the persistent threat posed by sophisticated ransomware groups and the difficulty in defending against zero-day exploits. This data breach highlights the urgent need for stringent cybersecurity measures and proactive management of software vulnerabilities.
