Clorox is the Latest Helpdesk Hack Victim: 28% Drop in Sales

Nametag Team
Image from San Francisco Business Times
Nametag console showing a successful verification result

Enable Self-Service Account Recovery

Nametag sends MFA and password resets to self-service while protecting your helpdesk against social engineering.

“First-quarter net sales will decrease by as much as 28% from a year ago because of the cyberattack” - Clorox, as reported by Bloomberg News

The increasingly renowned hacker group "Scattered Spider," previously implicated in cyberattacks on major casino firms MGM and Caesars Entertainment, has been identified as the primary suspect behind a significant breach at Clorox Co. This breach, disclosed initially in August, has now manifested in a nationwide shortage of cleaning products.

This cyber onslaught has had a profound impact on Clorox’s operational and financial performance. In the aftermath of the attack, the company has reported substantial drops in both sales and profits. Specifically, Clorox projected that its fiscal first-quarter net sales could decrease by up to 28% year-over-year due to the cyberattack. Furthermore, the company anticipates a decline in organic sales by as much as 26%. This cyber disruption also resulted in Clorox revising its profit expectations, forecasting an adjusted loss of up to 40 cents per share. 

In response to the MGM breach, credit rating firm Moody’s issued a statement that “highlights key risks” to businesses with a heavy reliance on technology, citing breaches as a valid reason for credit downgrades.

The ramifications of this cyber breach went beyond just financial figures. Operations at all of Clorox's US facilities were adversely impacted. Although the factories stayed operational, there were interruptions in production across several units, compelling employees to shift their focus to cleaning, maintenance, and training. As a consequence of these operational hitches and the ensuing product shortages, Clorox is also facing the risk of losing its market share to competitors.

Despite the evident magnitude of the breach, several aspects of the attack remain undisclosed. It has yet to be determined if the hacking group deployed ransomware or if they only utilized social engineering techniques to infiltrate Clorox’s systems. The FBI is actively investigating the incident, and it is known that Scattered Spider has ties with the ransomware gang, ALPHV.

Why this could happen to almost any business in the world

Companies rely on Multi-Factor Authentication (MFA) to keep employee accounts protected, but what happens when someone calls the IT helpdesk and claims to be locked out of their account? The help desk typically takes them at face value – or attempts some sort of manual identity detective work – and then grants them access so they can continue working. But what happens when that caller is a bad actor? Currently, help desk workers around the world have no reliable way to tell the difference. This has given rise to a new method of breaching accounts that doesn't even require the technical chops of hacking a password: impersonation. And, in the case of the recent MGM hack, it only took ten minutes.

Agents commonly resort to tools like these, which are not effective at determining whether the caller is a real employee or an attacker.

How to prevent it: advice from the experts

Okta chief security officer David Bradbury advises “adding a visual verification step at the helpdesk.”

Yet, while Impersonation fraud like this is increasingly common, help desk agents do not have on-demand tools to efficiently identify someone over the phone or in an email/chat interaction. Your support desk needs a clearly-defined procedure for resolving these lockouts that involves a legitimate, close inspection of their ID and personal details, and to make sure the human on the phone actually matches the identity details they're presenting.

Method 1: Manual “Visual Verification” 

Companies that avoid these breaches often employ an investigative team to stop impersonation fraud and employee account breaches. When support desk agents and IT teams are contacted by someone claiming to be a locked out employee or customer, they pass along the case to these teams to run background checks, conduct in-person interviews, and use digital tools to validate the person's government-issued ID. Imagine a process similar to the DMV. While these teams can be expensive and the process can be tedious – breaches like those at MGM and Clorox show that the cost of a breach is always higher.

Method 2: Automated “Visual Verification”

If hiring an investigative team feels too expensive, or if you're worried about employee frustrations and lost work time as they follow these processes and await results, there is another option. Some companies choose automated tools that can take someone through a secure identity verification process remotely (explore Nametag's human identity platform). Automating so much of the identity detective work typically means help desk agents can do the whole process themselves, and resolving an employee lockout or password reset this way typically only requires about 30 seconds of their time. Since exploitations of this MFA loophole have exploded in recent years, these solutions are relatively new.

Secure your helpdesk against social engineering and impersonators.
Accept All Cookies