- Cereal giant KW Kellogg has suffered a data breach
- Fortunately, so far, only four people seem to be affected
- This could be connected to recent Cleo File Transfer breaches
Cereal giant WK Kellogg was hit with a data breach early in 2025, which has affected an unknown number of people.
CyberNews reports breach notifications were sent to Attorney General’s offices in Maine and New Hampshire, but these claim only four people were affected between the two states.
The servers affected by the breach were used to transfer employee records to WK Kellogg’s HR service vendors, meaning it’s likely some data exposed includes personally identifiable information (PII). This could leave those affected at risk of identity theft and fraud, so WK Kellogg is rightly offering a year of credit monitoring and identity theft protection services to those affected in the breach.
A familiar story
The breach reportedly originated through a third party vendor, file transfer service Cleo, which was also used in a suspected C10p ransomware attack against Sam’s Club in late March of 2025.
This incident saw attackers allegedly intercept the personal data of around 100,000 employees, and was part of a much wider campaign by the C10p group in which at least two dozen organizations were compromised through the file service vulnerability.
It’s not yet clear if the WK Kellogg breach is a ransomware attack or if the same group behind the incident – and the company did not immediately respond with any comment.
WK Kellogg is far from alone though, as third-party data breaches have become a major security concern, with almost all companies in Europe (98%) experiencing a third-party breach in the last year, compared to just 18% of organizations suffering a direct breach.
In the age of globalization, it’s almost impossible to run a business without collaborating with third-parties, so knowing your vendor and being confident in managing the risks they come with is key to keeping your information secure.
