Cyber Incident Victim: Symrise

In December 2020, Symrise AG, a global developer of flavors and fragrances used in over 30,000 products for clients including Nestle, Coca-Cola, and Unilever, suffered a disruptive cyberattack attributed to the Clop ransomware gang. The company, which reported €3.4 billion in 2019 revenue and employed over 10,000 people, was forced to halt production across its facilities and shut down essential IT systems to contain the incident. German media initially reported the operational disruption, with Symrise confirming the shutdown was necessary to assess consequences and prevent further propagation of the attack. The company maintained this containment posture for an unspecified duration while investigating the scope of the compromise. The attack caused significant operational disruption, though Symrise did not publicly disclose specific financial or production loss figures.

Clop ransomware operators claimed responsibility for the attack, informing BleepingComputer they had encrypted approximately 1,000 devices on Symrise’s network. The group stated they initially compromised the network through malware distributed via phishing emails, subsequently exfiltrating 500 GB of unencrypted files before deploying ransomware. As proof of data theft, Clop published samples on their leak site showing passports, accounting documents, audit reports, confidential cosmetic ingredient specifications, and internal emails. This theft of proprietary and sensitive information exposed Symrise to potential intellectual property theft and compliance risks, though the company did not confirm the validity of the leaked data. Clop had previously deployed similar tactics against Maastricht University, Software AG IT, and other entities, including a breach where they claimed theft of 2 million credit cards. Symrise did not respond to media inquiries regarding the attackers’ claims or provide additional details about remediation efforts beyond the initial containment measures.