Clorox paid about $49 million and Johnson Controls paid about $27 million to cover data breach costs in 2023, according to new SEC filings from each of the companies. The total of nearly $76 million is in actual money paid for contracting and assorted remediation measures, and is separate from projections of lost revenue from both companies.
Both companies were hit by ransomware and opted not to pay the attackers, though two different ransomware groups are believed to be responsible for the attacks.
Ransomware gangs continue to menace businesses of all sizes
A good deal of research supports the idea that data breach costs have been steadily climbing for years now. Clorox and Johnson Controls both paid well above average to clean up after their incidents, however, even by the standard of the world-leading average cost of a data breach in the United States.
Both companies say that they expect insurance to at least partially cover the bill, something that is becoming a luxury only available to the relative few in a rapidly contracting cyber insurance market. Many organizations are now having trouble obtaining full coverage, and some are stuck with essentially no coverage for ransomware incidents.
Larger organizations such as Clorox are also increasingly prepared for these attacks, with regular backups and readiness to pull systems offline when a ransomware attempt is detected. But even when they do everything right, they are still likely facing weeks to months of recovery time if they do not opt to take their chances paying off an attacker to unlock their systems.
The US remains the world’s leading target for ransomware, and the average business there can now expect dozens of cyber attacks per year (and for about three of these to actually succeed in establishing some kind of penetration or foothold). The steady increase in data breach costs is very likely tied to a measurable increase in the sophistication of the average attack attempt, even those that target smaller fish.
Lost sales contribute to both revenue impacts and data breach costs
The SEC filings from both Clorox and Johnson Controls said similar things: most of the data breach costs are taken care of at this point and insurance is expected to significantly contribute, but there will be some continued recovery expenses into the first half of 2024.
Clorox reported that business interruption issues do continue, but that the company was ahead of schedule on resupplying inventory and getting it onto store shelves (one of its central issues in late 2023 in recovering from its attacks). Johnson Controls said that its billing system took the worst of the impact from the attack and that it would also still have recovery costs for several months, but that it expected insurance to ultimately cover most of the damage.
The incident serves as an illustration of how long (and expensive) a ransomware recovery can be even for a well-resourced, well-insured company that was reasonably prepared for the eventuality. But it also reflects what is hopefully an ongoing trend of companies being more forthcoming and detailed in their data breach disclosures, with both of the involved parties going above what is legally required in their communications with shareholders.