US cereal giant WK Kellogg has confirmed it was the target of a data breach earlier this year, with the incident traced to a vulnerability in a third-party file transfer service.
The breach, believed to have compromised personally identifiable information (PII), has been claimed by the Clop (C10P) ransomware group, a prolific cybercrime gang known for targeting supply chain weaknesses.
The breach reportedly stemmed from Cleo, a file transfer service used to send employee records to Kellogg’s HR vendors.
Although breach notifications filed in Maine and New Hampshire list just four individuals affected in those states, the true scale may be larger.
In response, WK Kellogg is offering one year of credit monitoring and identity theft protection services to those impacted.
Cybersecurity analysts say this attack appears to be part of a broader campaign by Clop.
The same file transfer vulnerability was allegedly exploited in a March 2025 attack on Sam’s Club, the Walmart-owned retail chain, in which the personal data of approximately 100,000 employees was exposed.
At least two dozen organisations are believed to have been compromised in similar incidents linked to the Cleo platform.
Cereal innovation: Interview with CIO of Kellogg’s Europe
Dray Agha, senior manager of security operations at Huntress, highlighted the growing risk posed by third-party services. “While the number of affected individuals reported so far is low, the fact that this breach stemmed from a third-party vendor highlights a broader issue we’re seeing across the industry,” he said. “Even if your internal security is sound, a vulnerable partner can open the door to compromise.”
Agha added that Cleo’s involvement in both the WK Kellogg and Sam’s Club breaches shows how attackers are increasingly targeting file transfer platforms as strategic points of entry.
Jamie Akhtar, CEO and co-founder of CyberSmart, echoed those concerns. “Around 80% of all breaches begin in the supply chain, and this form of attack has surged by 431% globally in the past two years,” he noted. “It proves, once again, that your defences are only as strong as the weakest link.”
Akhtar praised Kellogg’s response, calling its decision to provide credit monitoring “refreshing”. “Too often, we see individuals left to fend for themselves after breaches they didn’t cause,” he said. “Kellogg’s approach deserves recognition.”
The breach serves as a stark reminder of the cybersecurity challenges facing companies reliant on interconnected digital supply chains.