Cleaning products company Clorox disclosed the major cybersecurity incident that led to a shutdown of its automated order processing late last year has cost it about $49 million.
After Clorox discovered unauthorized activity on its computer systems beginning Aug. 11, it took its systems offline, hired a cybersecurity consultant, and shut down automated order processing.
The company continued servicing customers by handling orders manually and conducting processing procedures at a reduced rate. It hired forensic experts and others to investigate and remediate the attack, it said.
The incident caused “wide-scale disruptions” to the company’s business operations, including order processing delays and product outages, through the quarter that ended Sept. 30, the company said in a 10-Q filing with the Securities and Exchange Commission (SEC) on Thursday. The disruptions had a negative impact on net sales and earnings, the company said.
The incident cost the company about $49 million in the six months that ended Dec. 31, it said. Of the $49 million in expenses, about $20 million was attributed to the cost of products sold and $29 million was for selling and administrative expenses.
The company’s latest financial results showed its recovery plan was working, Chief Executive Linda Rendle said in a press release Thursday.
“Our second-quarter results reflect strong execution on our recovery plan from the August cyberattack,” Rendle said. “We are rebuilding retailer inventories ahead of schedule, enabling us to return to merchandising and restore distribution.
“While there is still more work to do, we’re focused on executing with excellence in what remains a challenging environment to drive top-line growth and rebuild margin.”
The cyberattack at Clorox took place prior to the SEC’s new rules regarding material cybersecurity incidents taking effect in December, providing a case study for public companies on disclosure.