Cleaning products maker Clorox has reported losses of $49 million in connection to a cyberattack it suffered in August of last year.

On Monday, August 14, 2023, Clorox disclosed it had identified unauthorized activity on some of its IT systems. Despite a business continuity plan, the incident resulted in wide-scale disruptions to the company’s operations throughout the quarter, which ended September 30, 2023.

Clorox says it expects operational impacts from the cyberattack to continue into the second quarter, though the majority of order processing operations have returned to automated processes. Among other consequences of the cyberattack, net sales are expected to decrease between about $487 million and $593 million.

The company never revealed the nature of the attack, but based on a brief description, we must assume it was a ransomware attack. Ransomware experts have attributed the attack to ALPHV/BlackCat, but attribution is hard. This is especially true when the victim decides to pay the ransom, because their details aren’t made public by the attackers. When an organization refuses to pay, the attacking ransomware group will typically publish the organization’s details, along with its data, on their leak site, which are our main source of information about who did what to who.

The ALPHV ransomware gang is arguably the second most dangerous “big game” ransomware operator, as you can see in many of our monthly ransomware reviews.

The costs of the cyberattack, which included payments to third-parties that were hired to help investigate and remediate the attack amounted to $49 million.

Clorox was forced to shut down many of its systems due to the attack, which triggered order processing delays and significant product outages.

The fact that the disruptions lasted as long as they did, does not bode well for the business continuity plan. Add to that the suspicion that the ransom was paid, and we can conclude that backups were perhaps insufficient or not readily deployable.

These are things that, however cumbersome, need to be tested. Waiting for the actual emergency as the first test is never a good idea. Another indication that things may not have been up to par was the chief information security officer (CISO) leaving in November, while the company was still recovering from the cyberattack.