Full Report
WK Kellogg breach exposed employee data after attackers exploited flaws in Cleo software
Analysis Summary
# Incident Report: WK Kellogg Data Breach via Cleo Software Exploit
## Executive Summary
WK Kellogg Co experienced a data breach resulting from the exploitation of vulnerabilities in their third-party file transfer software, Cleo (Harmony, VLTrader, and LexiCom). The attackers successfully accessed and likely exfiltrated sensitive employee personnel files, including Social Security Numbers. WK Kellogg discovered the incident in February 2025 and began remediation and public notification in April 2025, offering identity protection services to affected staff.
## Incident Details
- **Discovery Date:** February 27, 2025
- **Incident Date:** December 7, 2024
- **Affected Organization:** WK Kellogg Co.
- **Sector:** Food Manufacturing (Cereal)
- **Geography:** Michigan, USA (Company HQ); Maine (Confirmed affected employee location)
## Timeline of Events
### Initial Access
- **Date/Time:** December 7, 2024
- **Vector:** Exploitation of zero-day vulnerabilities (CVE-2024-50623 and CVE-2024-55956) in Cleo file transfer software.
- **Details:** Attackers gained unauthorized access via flaws allowing unrestricted uploads/downloads (CVE-2024-50623, despite a prior patch) and the ability to run arbitrary bash or PowerShell commands (CVE-2024-55956).
### Lateral Movement
- **Details:** Not explicitly detailed, but the second vulnerability (command execution) provided a clear path for the threat actors to establish persistence or deploy malicious code necessary for data collection. Attackers focused on personnel files transferred via Cleo servers.
### Data Exfiltration/Impact
- **Details:** Unauthorized access and exposure of sensitive employee personnel files, including names and Social Security Numbers (SSNs). The full scope is still being determined, but at least one Maine employee was confirmed affected. The threat actor, believed to be Clop, listed WK Kellogg on their dark web leak site in February 2025.
### Detection & Response
- **Details:** WK Kellogg discovered the breach on February 27, 2025. Notification to affected individuals began via mail starting April 2025. The company disclosed the incident in a filing to the Maine Attorney General’s Office on April 4, 2025.
## Attack Methodology
- **Initial Access:** Exploitation of remote code execution and file-handling vulnerabilities (CVE-2024-50623, CVE-2024-55956) in Cleo file transfer software (Harmony, VLTrader, LexiCom).
- **Persistence:** Not explicitly detailed, but likely leveraged the RCE capability of the second vulnerability.
- **Privilege Escalation:** The flaws, particularly those allowing arbitrary command execution, effectively bypassed standard access controls.
- **Defense Evasion:** Exploitation of a zero-day or recently disclosed vulnerability cluster that security tooling may have struggled to counter immediately.
- **Credential Access:** Not explicitly mentioned, but access implies credential usage or account compromise within the Cleo environment to access sensitive personnel file shares.
- **Discovery:** Attackers targeted systems involved in HR service provider transfers.
- **Lateral Movement:** Focused movement within the file transfer environment.
- **Collection:** Gathering of HR-related employee files.
- **Exfiltration:** Theft of collected personnel data.
- **Impact:** Data breach leading to identity theft risk for employees.
## Impact Assessment
- **Financial:** Costs associated with investigation, remediation, and identity protection services (one year of Kroll monitoring offered).
- **Data Breach:** Sensitive Personally Identifiable Information (PII) and Sensitive Personal Data (SPD), specifically names and Social Security Numbers (SSNs) of employees.
- **Operational:** Disruption related to incident management and mandatory notification processes.
- **Reputational:** Public confirmation of a significant data breach linked to supply chain software failure.
## Indicators of Compromise
- **Network indicators:** (None explicitly provided, but related to connections to infrastructure used by the Clop group).
- **File indicators:** (Not specified).
- **Behavioral indicators:** Unauthenticated attempts to upload/download or execute commands on Cleo server instances linked to CVE-2024-50623/CVE-2024-55956.
## Response Actions
- **Containment:** Unspecified, but necessary subsequent patching or isolation of exploited Cleo servers following discovery.
- **Eradication:** Steps taken to remove malicious presence derived from the exploit.
- **Recovery:** Notifying affected employees via mail and providing one year of free identity theft protection from Kroll (credit monitoring and fraud support).
## Lessons Learned
- **Key takeaways:** Third-party software, particularly those handling sensitive data transfers (like MFT solutions), represents a critical supply chain risk. Even patched vulnerabilities can still lead to compromise if follow-up vulnerabilities are exploited rapidly thereafter.
- **What could have been done better:** Proactive monitoring or segmentation of systems processing PII/SSN data transmitted via third-party vendors, especially when vendor security bulletins indicate active exploitation in the wild.
## Recommendations
- **Prevention measures for similar incidents:**
1. Immediately review and apply patches for all critical vulnerabilities (like those affecting Cleo products) across the IT environment.
2. Implement strict network segmentation and access controls around Managed File Transfer (MFT) solutions, limiting external connectivity and file operation permissions.
3. Enhance monitoring on file transfer systems for anomalous command execution or bulk file retrieval, correlated with known exploit signatures related to MFA/RCE flaws.
4. Audit all third-party vendors responsible for handling employee PII/HR data to ensure compliance with current security standards and swift patch management procedures.