How old-fashioned hacking may have taken Clorox off store shelves for months

By Scott Nover

There’s a reason you’ve maybe been struggling to find Clorox products on store shelves: For the past two months, the consumer products giant has been struggling with a large-scale bleach breach.

On August 14, Clorox—which makes not only its namesake bleach, but also a wide range of products, including Glad trash bags and Burt’s Bees skin products—announced in a regulatory filing that it discovered “unauthorized activity” in its computer systems. More than a month later, on September 18, the company filed another disclosure indicating that the attack took many of its automated systems offline—including those by which large retailers order products. When big box retailers like Walmart and Target order their products, Clorox has had to process those orders manually, leading to a slowdown of operations and fewer products making it to store shelves. 

Last month, Clorox said it believed the attack was finally “contained” but expected there to be a “material” impact to its quarterly financial results. In preliminary results released on October 4, Clorox said, due to the attack, its sales fell 21%-26% during the fiscal quarter. Beyond the revenue hit, there’s been a new cost—actually responding to the hack. Last week, the company said it’s already spent $25 million securing its systems after they were breached. 

In turn, Clorox stock has plummeted 25%—from $160 per share to $120—since the company first announced the breach in August.

Clorox isn’t the only major company to get hacked recently, but the others might feel like more natural targets. When MGM Resorts International was hacked, slot machines went dark, hotel room keycards stopped working, and guests waited for hours to check into their rooms. The hack, first disclosed on September 11, dragged on for 10 days before the company announced it was “back to normal operations.”

Around the same time, hackers breached Caesars Entertainment, threatening to release sensitive customer data, including driver’s license and social security numbers, unless the company coughed up $30 million as ransom. Caesars paid $15 million—half of the requested amount—in the name of protecting customers.

While casinos, banks, and other cash-facing businesses seem like obvious targets for extortionary cybercriminals, that’s mostly an illusion, cybersecurity experts told Fast Company. But it’s not that casinos aren’t ripe for hackers, more so because every large company is.

Sometimes, boring companies get hacked too.


So, how did this actually happen? It’s suspected that Clorox, MGM, and Caesars were all victims of what’s called social engineering.

Social-engineering attacks target people in order to gain access to computer systems. Hackers often used simple methods like phone calls and text messages to get employees and vendors to open the digital doorway. “Social engineering attacks the human component to breach security,” says Katie Moussouris, founder and CEO of Luta Security. “Calling a help desk to impersonate a valid user or fooling someone into clicking a link to malicious software or redirecting users to a site that mimics a legitimate login page to harvest their passwords are all examples of social engineering attacks.”

 

It’s been difficult to divine how exactly hackers gained access to these companies. Only Caesars has confirmed it was breached through a social-engineering attack, divulging that one of its third-party IT vendors was compromised, allowing the hackers to gain access to its systems. In recent years, social-engineering attacks have been used to breach major U.S. companies including Uber, Twilio, and Twitter

Rachel Tobac, the CEO of SocialProof Security, thinks there’s a good reason why these seemingly old-fashioned attacks are coming back in style. “We just see the same social-engineering methods playing out time and time again because our technical tools have gotten stronger,” she says. “Our technical tools can catch the phishing emails, so now attackers are going back to basics with phone calls like they used to back in the day. It feels like a throwback, but it’s what they do now because it’s what works.”

MGM has not publicly confirmed that social engineering is to blame, but multiple news outlets, including Bloomberg and Reuters, have reported that the MGM and Caesars attacks were both executed by a group called Scattered Spider, known for their social-engineering attacks. Bloomberg recently suggested that the group might be behind the Clorox hack as well, though the company has not publicly confirmed as much.

David Bradbury, the chief security officer of the identity verification company Okta—used by both MGM and Caesars—has indicated that “all signs are pointing” to Scattered Spider as the culprit behind the Clorox cyberattack. On August 31, Okta issued a public advisory warning that social-engineering attackers have been targeting IT help desks and manipulating technicians into handing over access or credentials.

Tobac says these can be some of the toughest attacks to preempt. “Human beings are fallible, we’re not technology,” she tells Fast Company. “Whereas computers can be protected by updating software, we have to update the way that people think about attacks.”

And, as the Clorox hack shows, cyberattacks don’t just target cash-facing operations like casinos. Luta Security’s Moussouris wants all companies to heed that warning.

Attackers operate toward efficiency and return on their investment, seeking targets of opportunity, especially in the age of ransomware,” she says. “Ransomware and being able to receive payment in cryptocurrency turned many organizations that might not have seemed interesting to attack into potential piggy banks.”

Fast Company

(14)