Posted on: October 5, 2023, 10:57h.
Last updated on: October 5, 2023, 10:57h.
Shares of consumer staples giant Clorox (NYSE: CLX) are down nearly 9% in midday trading on Thursday after the company warned investors of an expected fiscal first-quarter loss due to a recent cyber attack.
Clorox, known for brands like Brita, Burt’s Bees, Liquid-Plumr, and Pine-Sol, revealed that it suffered a data breach believed to be the work of the cybercrime group known as “Scattered Spider.” This same group targeted Caesars Entertainment and MGM Resorts International, causing significant damage and extracting a payment of $15 to $30 million.
Based on its current assessment of the situation, the company expects to experience ongoing, but lessening, operational impacts in the second quarter as it makes progress in returning to normalized operations,” said Clorox regarding the breach. “The company also expects to begin to benefit from the restocking of retailer inventories as it ramps up fulfillment in the second quarter.”
Clorox anticipates a first-quarter net earnings per share loss of 35 to 75 cents and a decline in net sales of 23% to 28%.
Clorox Faces ‘Widescale Disruption’
Ransomware attacks, like the one experienced by Clorox, have become increasingly prevalent. These attacks force victims to pay the hackers or face severe financial consequences. Clorox commented that the breach caused a “widescale disruption” to its operations.
Cybersecurity experts and providers have been warning of the rising frequency of ransomware attacks. Last month, identity management company Okta disclosed that several clients, including Caesars and MGM, had recently been targeted. It is unclear if Okta provides services to Clorox as well.
“The company is operating at a lower rate of order processing and has recently begun to experience an elevated level of consumer product availability issues,” said Clorox in a Sept. 18 filing with the Securities and Exchange Commission (SEC). “The cybersecurity attack damaged portions of the Company’s IT infrastructure, which caused widescale disruption of Clorox’s operations.”
MGM Update Still Pending
Recent SEC regulations mandate that publicly traded companies disclose material information related to cybersecurity risk management, strategy, and governance. Clorox has complied by filing multiple reports with the commission regarding the cyber breach. Caesars also confirmed that its insurance carrier covered the ransom payment.
MGM, however, has not provided an update since September 13, despite the 10-day attack by Scattered Spider on its Cosmopolitan operation. The SEC expects more prompt reporting in the case of cyber incidents.
“An Item 1.05 Form 8-K will generally be due four business days after a registrant determines that a cybersecurity incident is material,” according to the agency. “The disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing.”