Skip to main content
close search
site logo

WK Kellogg confirms employee data breach tied to Cleo file-transfer flaw

The Michigan-based breakfast cereal company confirmed it used Cleo as a vendor for human resources data.

Published April 8, 2025
David Jones's headshot
Reporter
Rice Krispies, one of WK Kellogg's iconic cereals.
Rice Krispies boxes with a "Spider-Man" promotion sit on a shelf May 7, 2002, in New York City. WK Kellogg said employee data was breached in December 2024 in connection with a flaw in Cleo file transfer software . https://www.gettyimages.com/detail/news-photo/rice-krispies-boxes-with-a-spider-man-promotion-sit-on-a-news-photo/1540408?adppopup=true via Getty Images

WK Kellogg Co. confirmed that at least one employee was affected in a December hack related to a vulnerability in Cleo file-transfer software, according to a regulatory filing with the Maine Attorney General’s office. 

The Michigan-based breakfast cereal company said Cleo servers, which were used to transfer employee files, were hacked on Dec. 7. WK Kellogg said it first learned of the hacking incident on Feb. 27.  

The breached data included the name and Social Security number of one employee based in Maine. However, it is not immediately known if the personal data of other employees was also breached. 

As previously reported, critical flaws in Cleo file-transfer software came under mass exploitation in December. 

Cleo originally released a patch in October 2024 to address an unrestricted file upload and download vulnerability, tracked as CVE-2024-50623, in Cleo Harmony, VLTrrader and LexiCom file-transfer products.  

However, security researchers found the patch did not offer adequate protection from hacking. 

A second vulnerability, tracked as CVE-2024-55956, was discovered in December; it allows unauthenticated users to import or execute arbitrary bash or PowerShell commands.  

Researchers from Arctic Wolf said in December that Cleo MFT products were being exploited as part of an effort to deploy Java-based backdoors. 

“At the time of publication, the motivations of the threat actors had not been fully elucidated,” a spokesperson for Arctic Wolf said via email. “Since then, [Clop] has published a message on their leak site claiming responsibility for some of the ransomware threat activity targeting organizations running Cleo products.”

Researchers at Mandiant traced a cluster of malicious activity to a threat actor tracked as FIN11, which overlaps with the Clop ransomware gang. Clop is most widely known as the group linked to the widespread attacks on MOVEit file-transfer software in 2023. 

Just last week, Sam’s Club said it was investigating a potential attack after Clop referenced the company on its leak site. 

A spokesperson for WK Kellogg was not immediately available for comment.

Filed Under: Breaches

Editors' picks

Company Announcements

View all | Post a press release
98% of Brands Targeted by Cyber Attacks in 2024 – BrandShield CyberScam Report Reveals Rising …
From BrandShield
April 02, 2025
360 Privacy Announces Strategic Executive Appointments Following $36 Million Growth Investment
From 360 Privacy
March 31, 2025
Lafayette Federal Credit Union Data Breach Investigation
From Migliaccio & Rathod LLP
March 24, 2025
Monro Data Breach Investigation
From Migliaccio & Rathod LLP
March 26, 2025
Editors' picks
Latest in Breaches
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.