Sam’s Club, the Walmart-owned membership-only warehouse chain, has become the latest victim claimed by the infamous Cl0p ransomware group. The company tells Cybernews it is now investigating.
In what appears to be Cl0p's fifth victim name dump from the late December exploit of Cleo file-sharing software, Sam’s Club quietly appeared along with the hundreds of other Cleo victims on the group's dark leak site Friday afternoon.
In typical Cl0p fashion, the Russian-linked ransomware gang called out Sam’s Club, posting that “The company doesn't care about its customers, it ignored their security!!!”
Sam’s Club responded to the claims in a statement sent to Cybernews.
“We aware of reports regarding a potential security incident and are actively investigating the matter” it said. “Protecting the privacy and security of our members’ information is a top priority at Sam’s Club. We take these concerns seriously and will communicate further as appropriate.”
The company also noted that it has not seen any evidence of an intrusion or a security incident.
Headquartered in Arkansas, the purveyor of bulk discount goods boasts millions of customers, has roughly 600 locations across the US, Puerto Rico, and some locations in China and Mexico, and an annual revenue of $84.3 billion in 2023, according to its website.
The Walmart division also runs its own customer financing program in the form of Sam’s Club credit cards, and most Sam’s Club warehouses fill medical prescriptions and offer free health screenings.
This means Cl0p could have had unauthorized access to not only a plethora of Sam’s Club customers’ personal financial data but also a trove of private health information. Sam’s Club also employs over 100,000 people, whose personally identifiable information (PII) may also be at risk.
It also appears that Cl0p misspelled Sam’s Club website address on its leak site, leaving the B off the address to read (SAMSCLU[.] COM, as first noted by security researcher Dominic Alvieri, who posted about the leak on X.
Clop made a typo which made it difficult to confirm with anyone.
undefined Dominic Alvieri (@AlvieriD) March 28, 2025
The typo is still on their leak site and alleged @SamsClub data due @Walmart
Founded in 1983, the Sam’s Club paid membership-only warehouse chain is known for selling grocery items, electronics, and home goods, in-store and online.
Cl0p and its endless list of Cleo victims
Earlier this month, the ransomware gang Cl0p claimed to have published a slew of files belonging to the US-based cloud storage company Rackspace Technology.
The Rackspace leak was first revealed in late February, sitting above an alphabetical list of roughly 170 other victim companies, all purportedly part of a Cl0p hacking spree that exploited two zero-day vulnerabilities in Cleo's file transfer software programs, including Cleo Harmony, Cleo VLTrader, and Cleo LexiCom.
Home Depot (Mexico), Lolly Togs, Nature Sweet, Petmate, Simple Human, and VS Logistics are some of the other more prominent names on the list. Home Depot has denied being a victim of the Cleo software attacks.
The ransomware group began leaking scores of victims from the Cleo hacks just days before the New Year. Since then, dozens of those companies have been listed as published on the Cl0p site.
Blue Yonder, a leading supply chain software provider, with clients like Starbucks, BIC, and several major UK grocery chains, was the first victim to be outed by the ransomware cartel on its dark leak site, although the company has also denied Cl0p was involved in its most recent November breach.
Other Cleo hack victims claimed on the Cl0p site include major companies and organizations, such as Western Alliance Bank. The US-based bank only notified the 22,000 customers affected by the leak on March 14th, according to the US office of the Maine Attorney General.
Others listed are Hertz, Chicago Public Schools, Nissin Foods (maker of Ramen Cup Noodles), and SDI Technologies (Timex, iHome).
Threat researchers at Google’s Mandiant traced the mass Cleo exploitation to Cl0p back in October and reported having observed several backdoors being deployed on compromised systems.
The Cl0p ransomware cartel is responsible for the 2023 infamous MOVEit and Fortra GoAnywhere file management software hacks.
The MOVEIT exploit was one of the largest-ever hacking campaigns, impacting over 2,600 organizations and almost 90 million individuals. The gang reportedly earned between $75 million and $100 million from the MOVEit hacks alone.
Your email address will not be published. Required fields are markedmarked