Clorox and Johnson Controls Reveal $76m Cyber-Attack Bill

Written by

Two new regulatory filings have revealed the surging costs associated with ransomware and other cyber-related incidents.

Cleaning product manufacturer, Clorox, confirmed major operational disruption in an attack discovered on August 14 last year, forcing it to revert to manual ordering and processing. The breach was never confirmed as ransomware but the firm said it took certain systems offline to contain the incident, which is consistent with such an attack.

A new SEC filing late last week revealed expenses associated with the incident of $49m in the six months to December 31 2023.

“The costs incurred relate primarily to third-party consulting services, including IT recovery and forensic experts and other professional services incurred to investigate and remediate the attack, as well as incremental operating costs incurred from the resulting disruption to the company’s business operations,” it explained.

“The company expects to incur lessening costs related to the cyber-attack in future periods. The company has not recognized any insurance proceeds in the three and six months ended December 31, 2023 related to the cyber-attack. The timing of recognizing insurance recoveries, if any, may differ from the timing of recognizing the associated expenses.”

Read more on breach costs: Equifax Has Spent Nearly $1.4bn on Breach Costs

Separately, buildings management conglomerate Johnson Controls also revealed major losses – this time from a confirmed ransomware attack in September.

It claimed $27m in expenses during the final quarter of 2023 related to incident response and recovery. However, there’s likely more to come as it continues to count the cost of the ransomware breach.

“The company expects to incur additional expenses associated with the response to, and remediation of, the incident throughout fiscal 2024, most of which the company expects to incur in the first half of the year,” it said in the filing.

“These expenses include third-party expenditures, including IT recovery and forensic experts and others performing professional services to investigate and remediate the incident, as well as incremental operating expenses incurred from the resulting disruption to the company’s business operations.”

The breach also impacted the firm’s billing systems, affecting cash flow, although Johnson Controls claimed it would not materially impact net income. A “substantial portion” of direct costs will be reimbursed from insurance coverage, it added.

Image credit: Moab Republic /

What’s hot on Infosecurity Magazine?