Clorox and Johnson Controls Reveal Cyberattack-Related Financial Losses

• Written by Shipra Sanganeria Cybersecurity & Tech Writer
• Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

Two new earnings reports filed last week with the Securities & Exchange Commission disclosed the financial impact of cyber security-related incidents on an organizations’ profit.

American Cleanings product manufacturer, Clorox, in its regulatory filing revealed that the August 2023 attack had resulted in wide-scale operational disruptions, including delays in order processing and goods production. In addition to affecting sales and earnings, the incident forced the company to temporarily take down certain systems to contain the incident.

In its regulatory filing, Clorox reported incurring $49 million in expenses (six months ending December 2023) related to the incident.

“The costs incurred relate primarily to third-party consulting services, including IT recovery and forensic experts and other professional services incurred to investigate and remediate the attack, as well as incremental operating costs incurred from the resulting disruption to the Company’s business operations,” disclosed Clorox.

The company further went on to say in the coming period, it hopes to lessen cyberattack-related expenses, by improving and streamlining its business operations.

In a separate incident, multinational conglomerate, Johnson Controls, revealed that September 2023 ransomware attack had resulted in data theft and incident-related expenses of $27 million.

‘’These impacts were primarily attributable to expenses associated with the response to, and remediation of, the incident, and are net of insurance recoveries,’’ the filing revealed .

“The company expects to incur additional expenses associated with the response to, and remediation of, the incident throughout fiscal 2024, most of which the company expects to incur in the first half of the year”.

“These expenses include third-party expenditures, including IT recovery and forensic experts and others performing professional services to investigate and remediate the incident, as well as incremental operating expenses incurred from the resulting disruption to the company’s business operations.”

The cybersecurity incident which was discovered on September 23, 2023, impacted Johnson’ s internal IT infrastructure and applications, including specific billing systems.

Europcar Rebuffs Hacked Data as AI Generated

• Written by Shipra Sanganeria Cybersecurity & Tech Writer
• Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

Global car rental company Europcar refuted data leak claims, stating that the advertised personal information of nearly 50 million customers is fake.

On January 28, a user of a popular hacking forum claimed to be selling information for 48,606,700 Europcar customers. The post included a sample of alleged stolen data, including names, complete address, birth and passport details, driver’s license number, and other information.

After a threat intelligence service notified it about the breach, Europcar verified the data. The company dismissed it as false, stating that it was probably generated using generative AI tools like ChatGPT.

The company went on to say:

– ‘’the number of records is completely wrong & inconsistent with ours,

– the sample data is likely ChatGPT-generated (addresses don’t exist, ZIP codes don’t match, first name and last name don’t match email addresses, email addresses use very unusual TLDs),

– and most importantly: none of these email addresses are present in our database.”

However, Troy Hunt of Have I Been Pwned does not believe that the data was generated using artificial intelligence, despite much of it being false.

According to him, there is a mismatch between the listed individuals’ names and corresponding email addresses and usernames. Moreover, some of the addresses are non-existent. ‘’But many of the physical addresses are fake – they just don’t exist. They’re generated,’’ Hunt wrote on X (previously Twitter).

Nevertheless, he pointed out that not all email addresses were false, some emails in the datasets were real. They appeared in previous breaches, monitored by the site, Have I Been Pwned.

While one cannot rule out the use of generative-AI in cyber-attacks and online scams, this data leak incident is not a result of this.

‘’We’ve had fabricated breaches since forever because people want airtime or to make a name for themselves or maybe a quick buck. Who knows, it doesn’t matter, because none of that makes it “AI” and seeking out headlines or sending spam pitches on that basis is just plain dumb,’’ Hunt explained.