Sam’s Club, the Walmart-owned retail warehouse chain, is currently investigating claims of a data breach linked to the Clop ransomware group. The incident, reported in March 2025, allegedly involves the exploitation of a vulnerability in Cleo file-transfer software (CVE-2024-50623). While the investigation is ongoing, the breach highlights the persistent threat posed by ransomware-as-a-service (RaaS) groups to critical supply chain infrastructure.
Summary for Executives
The potential breach at Sam’s Club underscores the growing risk of third-party software vulnerabilities in retail and logistics sectors. Clop, a well-established ransomware group, has previously targeted high-profile organizations like AutoZone (185,000 individuals affected in 2023) and exploited zero-days in MOVEit file-transfer tools. Key takeaways:
- Attack Vector: Cleo file-transfer software vulnerability (CVE-2024-50623).
- Threat Actor: Clop ransomware group, known for data theft and extortion.
- Current Status: Investigation ongoing; no confirmed data leaks as of March 2025.
Technical Details of the Incident
The alleged breach follows Clop’s established tactics, techniques, and procedures (TTPs), including exploiting file-transfer vulnerabilities to exfiltrate data before deploying ransomware. The Cleo vulnerability (CVE-2024-50623) was reportedly leveraged for initial access, mirroring previous attacks on MOVEit (CVE-2023-34362) and Kronos payroll systems. BleepingComputer first reported the incident, noting similarities to Clop’s 2023 AutoZone attack, where stolen data was later leaked.
Clop’s operations align with broader RaaS trends, where affiliates receive up to 80% of ransom profits. The group has historically avoided encryption in favor of pure data extortion, as seen in the MOVEit campaign affecting 4,000+ organizations. Sam’s Club’s reliance on Cleo software for supply chain logistics suggests potential exposure of vendor or customer data, though specifics remain unconfirmed.
Relevance to Security Professionals
For network defenders, this incident reinforces the need to audit third-party file-transfer solutions and apply patches for CVE-2024-50623. Red teams should note Clop’s evolving evasion techniques, including:
- Exploitation of trusted software updates for lateral movement.
- Use of legitimate cloud services for command-and-control (C2) traffic.
Blue teams are advised to prioritize:
- Dark web monitoring for leaked credentials or internal data.
- Strict access controls for file-transfer systems, including multi-factor authentication (MFA).
Mitigation Strategies
Organizations using Cleo file-transfer software should:
- Apply patches for CVE-2024-50623 immediately.
- Isolate and monitor systems with Cleo integrations for anomalous activity.
- Review logs for unexpected file exports or unauthorized access.
For broader ransomware defense, CISA’s advisory on MOVEit (AA23-158A) provides actionable steps, including network segmentation and disabling unnecessary file-transfer protocols.
Conclusion
The Sam’s Club investigation reflects the escalating risk of supply chain attacks via file-transfer vulnerabilities. Clop’s continued activity signals the need for proactive patch management and vendor risk assessments. Future updates will depend on forensic findings and potential data leaks.
References
- “Retail giant Sam’s Club investigates Clop ransomware breach claims.” BleepingComputer, March 2025.
- “AutoZone discloses Clop ransomware attack impacting 184,995 individuals.” TEISS, November 2023.
- “CISA Advisory AA23-158A: Mitigating MOVEit Transfer SQL Injection Vulnerabilities.” CISA, June 2023.
- “VanHelsing: New RaaS in Town.” Check Point Research, 2025.
