Oreo cookie maker says crooks gobbled up staff info

Mondelez International has warned 51,000 of its past and present employees that their personal information has been stolen from a law firm hired by the Oreo and Ritz cracker giant.

To be clear, the miscreants didn't infiltrate Mondelez's IT estate: they broke into Bryan Cave Leighton Paisner LLP's network. And as one of Mondelez's legal services providers, Bryan Cave had copies of and access to sensitive personal information belonging to current and former Mondelez workers. 

As the snack giant noted in its security breach notification to 51,110 individuals on Friday: "Please know that this incident did not occur on or affect Mondelez systems or networks in any way."

Considering Mondelez was among the global companies hit in the NotPetya outbreak — and it recently settled its lawsuit against Zurich American Insurance Company, which it brought because the insurer refused to cover Mondelez's $100-million-plus cleanup bill — the fact that this was a third-party privacy breach probably provided a small bit of relief somewhere. Bryan Cave, we note, did not represent Mondelez in the NotPetya insurance legal battle.

While the cookie monster company is "unaware of any attempted or actual misuse of your information," it told affected employees, past and present, that the crooks accessed their social security numbers, first and last names, addresses, dates of birth, marital status, gender, employee identification numbers, and Mondelez retirement plan details.

"Financial information, such as account information or credit card numbers, were not involved in this incident," the notification added [PDF]. 

Per usual, Mondelez is offering free credit monitoring services to anyone whose data may have been compromised for 24 months.

Neither Bryan Cave nor Mondelez, which also owns Sour Patch Kids and Swedish Fish candy, Chips Ahoy, Triscuit and Wheat Thins crackers, and dozens of other brands, declined to answer The Register's specific inquiries, including how the crooks broke into the law firm's network, how much data they stole, and whether they demanded a ransom to delete the stolen goods.

That said, the Missouri-based law outfit did just now tell us this: "Earlier this year, BCLP was affected by an IT security incident. Upon learning of the issue, we immediately took measures to contain the incident with the assistance of a leading forensics firm, coordinated with law enforcement and are communicating with our affected stakeholders. We remain able and focused on continuing to serve our clients as we resolve this matter."

• Ritz cracker giant settles bust-up with insurer over $100m+ NotPetya cleanup
• Reddit confirms BlackCat gang pinched some data
• Data leak at major law firm sets Australia's government and elites scrambling
• Capita faces first legal Letter of Claim over mega breach

Here's what we do know, according to documents submitted to the Maine Attorney General's office. The law firm initially detected unauthorized access to its systems on February 27, and determined that the intrusion started on February 23 and continued until March 1.

Bryan Cave later reported the IT security breach to Mondelez on March 24 after determining that the candy titan's employee info had been swiped.

"On May 22, 2023, based upon additional information received from Bryan Cave, Mondelez determined that it finally had enough information to determine who was impacted and that affected individuals should be notified," the notification said. 

"Mondelez proceeded to conduct a thorough review of impacted information to identify all affected current and former employees, which was just completed, and is now providing notification," it added.

Bryan Cave hired an "outside cybersecurity forensics firm" to help with the investigation and notified law enforcement, according to the notification.

The security breach alert comes as several other high-profile corporations are reeling from ransomware intrusions.

Over the weekend, BlackCat claimed responsibility for a Reddit break-in from February, and said it had demanded $4.5m not to leak the stolen corporate data.

Meanwhile, the Clop ransomware gang keeps adding victims to its list of organizations ransacked via a MOVEit Transfer bug and began leaking corporate data, reportedly starting with Shell. ®