WK Kellogg Confirms Data Breach Tied to Cleo Software Exploit

Sensitive employee data at WK Kellogg Co. has been exposed in a cybersecurity breach after attackers exploited a vulnerability in file transfer software used by the company.

The breach, which occurred on December 7 2024, involved unauthorized access to personnel files transferred via Cleo servers.

WK Kellogg disclosed the incident on April 4 2025, in a filing to the Maine Attorney General’s Office. The Michigan-based cereal manufacturer said it discovered the breach on February 27 and has begun notifying affected individuals by mail.

At least one employee in Maine had their name and Social Security number compromised, though the full scope of the breach remains unclear.

The attackers exploited known vulnerabilities in Cleo’s Harmony, VLTrader and LexiCom file transfer software.

One flaw, tracked as CVE-2024-50623, allowed unrestricted uploads and downloads. Although Cleo issued a patch in October 2024, security researchers later found it failed to fully protect against intrusion.

In December, a second vulnerability – CVE-2024-55956 – was discovered. This flaw allows unauthenticated users to run arbitrary bash or PowerShell commands, giving attackers a path to deploy malicious code.

Cybersecurity firms believe the Clop ransomware group is responsible for the attack.

Researchers from Arctic Wolf and Mandiant linked the breach to a broader campaign that has targeted organizations using Cleo products.

Clop publicly listed WK Kellogg on its dark web leak site in February, applying pressure on the company to respond.

“Zero-day flaws, such as those that have been exploited by the Clop ransomware group, are extremely difficult to defend against,” Erich Kron, security awareness advocate at KnowBe4.

“Because these stolen files are HR-related employee files, the information within them is liable to be very sensitive and could easily lead to identity theft for those affected.”

Read more on the Cleo software vulnerability and its broader impact on US companies: Zero Day in Cleo File Transfer Software Exploited En Masse

WK Kellogg confirmed it used Cleo servers to send personnel files to HR service providers. Those transfers were the specific target of the attack.

The company has begun offering affected individuals one year of free identity theft protection from Kroll, including credit monitoring and fraud support.

“Victims of the data breach should ensure that they have locked their credit to avoid illicit accounts being opened in their names and should be on the lookout for potential signs of identity theft,” Kron concluded.

Image credit: Katherine Welles / Shutterstock.com