Article Details

Clorox CISO flushes self after multi-million-dollar cyberattack. Plus: Ransomware crooks file SEC complaint against victim. The Clorox Company's chief security officer has left her job in the wake of a corporate network breach that cost the manufacturer hundreds of millions of dollars. Amy Bogac held the title of chief information security officer (CISO) and VP of enterprise security and infrastructure at Clorox since June 2021, per her LinkedIn profile. AlphV files SEC complaint In other cyber news, affiliates of ransomware gang AlphV (aka BlackCat) claimed to have compromised digital lending firm MeridianLink – and reportedly filed an SEC complaint against the fintech firm for failing to disclose the intrusion to the US watchdog. First reported by DataBreaches, the break-in apparently happened on November 7. AlphaV’s operatives claimed they did not encrypt any files but did steal some data – and MeridianLink was allegedly aware of the intrusion the day it occurred. In screenshots shared with The Register and posted on social media, the AlphaV SEC submission claims MeridianLink made a "material misstatement or omission" in its filings and financial statements, "or a failure to file." The thoughtful folks at AlphV asserted they are simply filing the paperwork for MeridianLink – and giving it "24 hours before we publish the data in its entirety." The Register asked the SEC about the AlphV complaint. "We decline to comment," the spokesperson replied. While her LinkedIn profile doesn't indicate any job changes, Friday was Bogac's last day at the multinational cleaning product conglomerate, according to Bloomberg News, which reviewed an internal memo and cited two people familiar with the matter. Bogac did not respond to The Register's inquiries, and a Clorox spokesperson declined to say if Bogac remains on staff. "Out of respect to our current and former teammates, we do not comment on personnel matters," the spokesperson replied. Chau Banks, the chief information and data officer of the $7 billion biz, who reportedly penned the memo, will fill Bogac's role as Clorox continues mopping up the mess searches for and hires a replacement. "She was a champion of cyber security best practices externally and across the company through her ongoing participation in our Lunch With a Leader series to influence and educate others on cyber security awareness and relevant topics," the memo read. "During her time at Clorox, she also developed a strong Security & Infrastructure team." Clorox first disclosed its computer network had been compromised in a US Securities and Exchange Commission filing in August. At the time, it said some of its IT systems and operations had been "temporarily impaired" due to "unauthorized activity" in its IT environment. A subsequent SEC filing in September noted "wide scale disruption" across the business because of the intrusion. Those disruptions included processing orders by hand after some systems were taken offline. "The company is operating at a lower rate of order processing and has recently begun to experience an elevated level of consumer product availability issues," Clorox said at the time. In its first-quarter fiscal 2024 earnings report at the start of this month, Clorox reported a 20 percent drop in year-on-year Q1 net sales and noted the $356 million decrease was "driven largely" by the cyberattack. In a subsequent SEC filing, Clorox noted that expenses related to the network break-in for the three months ending September 30 totaled $24 million. "The costs incurred relate primarily to third-party consulting services, including IT recovery and forensic experts and other professional services incurred to investigate and remediate the attack, as well as incremental operating costs incurred from the resulting disruption to the company's business operations," according to the Form 10-Q filing. Clorox also revealed it expects to incur more expenses related to the security super-snafu in future periods.