WK Kellogg confirms employee data breach tied to Cleo file-transfer flaw
WK Kellogg Co. confirmed that at least one employee was affected in a December hack related to a vulnerability in Cleo file-transfer software, according to a regulatory filing with the Maine Attorney General's office.
The Michigan-based breakfast cereal company said Cleo servers, which were used to transfer employee files, were hacked on Dec. 7. WK Kellogg said it first learned of the hacking incident on Feb. 27.
The breached data included the name and Social Security number of one employee based in Maine. However, it is not immediately known if the personal data of other employees was also breached.
As previously reported, critical flaws in Cleo file-transfer software came under mass exploitation in December.
Cleo originally released a patch in October 2024 to address an unrestricted file upload and download vulnerability, tracked as CVE-2024-50623, in Cleo Harmony, VLTrrader and LexiCom file-transfer products.
However, security researchers found the patch did not offer adequate protection from hacking.
A second vulnerability, tracked as CVE-2024-55956, was discovered in December; it allows unauthenticated users to import or execute arbitrary bash or PowerShell commands.
Researchers from Arctic Wolf said in December that Cleo MFT products were being exploited as part of an effort to deploy Java-based backdoors.
'At the time of publication, the motivations of the threat actors had not been fully elucidated,' a spokesperson for Arctic Wolf said via email. 'Since then, [Clop] has published a message on their leak site claiming responsibility for some of the ransomware threat activity targeting organizations running Cleo products.'
Researchers at Mandiant traced a cluster of malicious activity to a threat actor tracked as FIN11, which overlaps with the Clop ransomware gang. Clop is most widely known as the group linked to the widespread attacks on MOVEit file-transfer software in 2023.
Just last week, Sam's Club said it was investigating a potential attack after Clop referenced the company on its leak site.
A spokesperson for WK Kellogg was not immediately available for comment.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
CBS News
a minute ago
- CBS News
Motorcyclist, 20, seriously injured in Detroit crash on highway ramp
A 20-year-old motorcyclist is in the hospital after a crash on a highway ramp in Detroit early Saturday, according to Michigan State Police. The crash happened around 1:25 a.m. on the ramp from eastbound Interstate 96 to northbound Interstate 75. A witness at the scene told police the motorcyclist was approaching 100 miles per hour on the ramp and lost control when driving around a curve. The motorcycle hit a concrete wall, the witness said, sending both the motorcyclist and the bike over the wall and down a grass embankment. The motorcyclist from Eastpointe, Michigan, was taken to the hospital with serious injuries, police said. Northbound I-75 in the area of the crash was closed for around two hours while officials investigated.
Washington Post
an hour ago
- Washington Post
Vikings, versatile safety Josh Metellus agree to 3-year, $36M extension, AP source says
The Minnesota Vikings and versatile safety Josh Metellus agreed Saturday on a three-year, $36 million contract extension, according to a person familiar with details of the deal. Metellus, a 2020 sixth-round draft pick out of Michigan, is a key piece of coordinator Brian Flores' defense and has started 27 games the past two seasons while playing in multiple spots.
San Francisco Chronicle
an hour ago
- San Francisco Chronicle
The Tea app was intended to help women date safely. Then it got hacked
Tea, a provocative dating app designed to let women anonymously ask or warn each other about men they'd encountered, rocketed to the top spot on the U.S. Apple App Store this week. On Friday, the company behind the app confirmed it had been hacked: Thousands of images, including selfies, were leaked online. 'We have engaged third-party cybersecurity experts and are working around the clock to secure our systems,' San Francisco-based Tea Dating Advice Inc. said in a statement. The app and the breach highlight the fraught nature of seeking romance in the age of social media. Here's what to know: Tea was meant to help women date safely Tea founder Sean Cook, a software engineer who previously worked at Salesforce and Shutterfly, says on the app's website that he founded the company in 2022 after witnessing his own mother's 'terrifying'' experiences. Cook said they included unknowingly dating men with criminal records and being 'catfished'' — deceived by men using false identities. Tea markets itself as a safe way for women to anonymously vet men they might meet on dating apps such as Tinder or Bumble — ensuring that the men are who they say they are, not criminals and not already married or in a relationship. It's been compared to the Yelp of dating. In an Apple Store review, one woman wrote that she used a Tea search to investigate a man she'd begun talking to and discovered 'over 20 red flags, including serious allegations like assault and recording women without their consent.'' She said she cut off communication. 'I can't imagine how things could've gone had I not known," she wrote. A surge in social media attention over the past week pushed Tea to the No. 1 spot at the U.S. Apple Store as of July 24, according to Sensor Tower, a research firm. In the seven days from July 17-23, Tea downloads shot up 525% compared to the week before. Tea said in an Instagram post that it had reached 4 million users. Tea has been criticized for invading men's privacy A female columnist for The Times of London newspaper, who signed into the app, on Thursday called Tea a 'man-shaming site'' and complained that 'this is simply vigilante justice, entirely reliant on the scruples of anonymous women. With Tea on the scene, what man would ever dare date a woman again?'' It's unclear what legal recourse an aggrieved man might have if he feels he's been defamed or had his privacy violated on Tea or a similar social media platform. In May, a federal judge in Illinois threw out an invasion-of-privacy lawsuit by a man who'd been criticized by women in the Facebook chat group "Are We Dating the Same Guy,'' Bloomberg Law reported. The breach exposed thousands of selfies and photo IDs In its statement, Tea reported that about 72,000 images were leaked online, including 13,000 images of selfies or photo identification that users submitted during account verification. Another 59,000 images that were publicly viewable in the app from posts, comments and direct messages were also accessed, according to the company's statement. No email addresses or phone numbers were exposed, the company said, and the breach only affects users who signed up before February 2024. 'At this time, there is no evidence to suggest that additional user data was affected. Protecting tea users' privacy and data is our highest priority,' Tea said. .
