Cyber Incident Victim: Campbell Soup Company

On or around June 30, 2023, which marked the end of its fiscal fourth quarter, Campbell Soup Company discovered a cyber intrusion within a segment of its IT network. The Camden, New Jersey-based food manufacturer responded by taking immediate steps to investigate the nature and scope of the incident. The company engaged third-party cybersecurity experts to assist with the response and formally notified federal law enforcement agencies of the breach. The public disclosure of the event was made on August 3, 2023, through the company’s annual report filing with the U.S. Securities and Exchange Commission. This filing indicated the incident occurred during the quarter ending July 30, 2023.

The cyberattack had a tangible operational impact on at least one manufacturing facility. The company disclosed an IT-related complication at its factory located in Napoleon, Ohio. Reports from local news outlets indicated that the attack forced the plant to go offline for a period of three days. As a result of this disruption, employees at the affected facility were temporarily sent home while the company worked to restore its systems. The company confirmed to local media that the impacted systems had been successfully restored and that operations at the Napoleon plant were expected to return to normal following the remediation efforts.

Despite the localized disruption at the Ohio plant, Campbell Soup Company assessed the overall impact of the cyber intrusion as limited. The company’s official SEC filing stated the incident was not material to its financial results or its overall operations. This assessment was reiterated during the company’s fiscal fourth-quarter earnings call held on August 31, 2023. During that call, Chief Financial Officer Carrie Anderson acknowledged the company would incur certain costs related to the incident but explicitly confirmed these costs were nonmaterial to its financial standing. The company’s product portfolio, which includes well-known brands such as Campbell’s soup, Pepperidge Farm cookies, Pop Secret popcorn, and V8 juices, remained largely unaffected from a production and distribution standpoint.

A key factor in containing the incident’s scope was the isolation of affected systems. A company spokesperson provided further detail, clarifying that the cyberattack did not impact any systems that connect or interact with customers or suppliers. This isolation prevented the disruption from spreading beyond the internal network and mitigated potential downstream effects on the supply chain or customer service operations. The company’s response actions included efforts to contain and ultimately eliminate the threat from its network, though specific technical details regarding the attack vector or the identity of the threat actors were not publicly disclosed.

The financial implications of the incident were partially mitigated by the company’s cybersecurity insurance policy. Campbell Soup Company confirmed it maintains cyber insurance coverage and was actively working with its insurer to submit claims under the policy. This process aimed to recover a portion of the costs associated with the incident response, which included expenses from hiring external cybersecurity experts, conducting the investigation, and implementing restoration efforts. The company’s statement to the SEC underscored that the attack had a limited impact on its business, reinforcing that the event did not rise to the level of requiring a more significant disclosure regarding its financial health or operational stability. The response exemplifies a coordinated effort involving internal teams, external experts, and law enforcement to manage and resolve a cybersecurity event with a contained operational footprint.