The Long Tail of a Supply Chain Cyber Attack
On February 20, 2022, Expeditors International of Washington, Inc., a top five freight management company by revenue, became the victim of a cyber attack.?
Expeditors immediately shut down all operating and accounting systems to protect their data and infrastructure, but doing so made it nearly impossible to operate. They stopped shipping freight, managing customs processing, and distributing customer products for three weeks.
The company lost $40 Million in shipping opportunities and was forced to spend an additional $20 Million on investigation and recovery services as well as other remediation-related expenses. They had no cyber risk insurance and no one ever took responsibility for the attack.
When Expeditors finally got their systems back online, they faced a new challenge - a lawsuit from one of their longtime customers: iRobot.
For full coverage of the Expeditors’ cyber attack, listen to this week’s episode of the Dial P for Procurement podcast .
Thin Details on the Attack
Expeditors understandably doesn’t want to talk about the details of the cyber attack, one of those crimes that often makes people blame the victim.?
The speculation, however, is that it was a ransomware attack. On the morning of the attack, information security and technology news publication BleepingComputer received an anonymous tip that Expeditors had suffered a ransomware attack. BleepingComputer says the tip confirmed their assumptions, based on Expeditors’ decision to shut down operations and restore them from backups - the recommended course of action when dealing with a ransomware attack.
What is the difference between a cyber attack and a ransomware attack?
According to data site Zippia , ransomware attacks accounted for 22 percent of the cyber attacks reported in 2021. Incidents of ransomware have been growing rapidly over the past few years, putting this form of cyber attack on pace to surpass phishing as the most common cause of data breaches.
Costs of a Supply Chain Cyber Attack
Cyber attacks have been on the rise since 2020, occurring with increasing frequency and having a more detrimental impact on the companies affected.
According to IBM and the Ponemon Institute , the average cost of a data breach in 2022 was $4.35 million. This year, that figure is expected to grow to $5 Million.??
These costs can take a number of forms… legal, regulatory, and technical activities, loss of brand equity, customer turnover, and drain on employee productivity.
According to insurance provider Hiscox , one in six cyber attacks in 2020 was a ransomware attack. In 2020, the amount of ransom demanded reached into the millions, and in 2021 Hiscox reported that some ransom demands increased into the tens of millions of dollars.
领英推荐
Expeditors was the unfortunate victim of a cyber attack, and they faced costs over 10X the average. But the impact was not limited to their organization - their customers were affected as well: companies shipping products via their network and storing merchandise in their warehouses.
When a cyber attack occurs in the supply chain, it can make matters even worse. Approximately 20 percent of all breaches are caused by compromised third-parties in the supply chain.
Breaches with their origin in the supply chain take 26 days longer to detect than the global average. They also cost more: $4.46 Million compared to the global average of $4.35 million. As we learned from Jo Peterson at Art of Procurement Digital Outcomes earlier this year, the longer a data breach exists without being detected, the more it will cost the company. Time is literally money.
iRobot’s Side of the Story
iRobot, maker of Roomba self-propelled vacuum cleaners, had been a customer of Expeditors for 15 years. They were affected by the cyber attack as well.?
Their product was in Expeditors’ warehouses when the attack hit, making it impossible to move goods, fulfill orders, or even know with certainty how much product they had where. According to The Loadstar , their contract required Expeditors to receive new products and ship them to iRobot customers within 24 hours of receiving an order. Expeditors also had to update its system within four hours of any stock movement. A three week system shutdown made that impossible.
In an effort to keep their own business moving, iRobot sent employees to Expeditors’ warehouses in Washington and Virginia to physically count Roombas and other goods. They loaded nearly 12,000 pallets of products into 207 rented tractor trailers to get orders to customers.?
iRobot is suing Expeditors for $2.1 million plus 9% interest and legal fees. Their supply chain may be fine now that they have moved to another logistics partner, but they incurred significant expenses from this attack, simply by proximity. iRobot says Expeditors' system shutdown was voluntary. They aren’t suing because the attack happened, they are suing for how Expeditors handled it.?
A final settlement meeting between the two sides is scheduled for February 2024, two long years after the attack occurred.?
Cyber Risk is Supply Chain Risk
When we think about risk… especially supply chain risk, Cyber security may not be procurement’s first thought. Most CEOs feel differently. In an August 2022 PwC Pulse survey , cyber security was identified as CEOs’ top risk concern, with 40 percent characterizing the risk as serious.?
Risk is risk whether it is to brand, product, systems, or all of the above. We can’t allow our view of risk to be siloed any more than we want our data and processes to be siloed.
With incidents and costs going up, procurement has to be proactive and extend beyond including token information security questionnaires in our RFPs.?
One of the articles I read while researching this article and podcast episode included a statement from an unnamed executive not involved in this case. He talked about the shock - the absolute shock - that teams are likely to be under in the immediate aftermath of a cyber attack. He said it was a week before the shock had abated enough that his company could start mobilizing their alternate plans and trying to recover.
The financial costs of a cyber attack are substantial, but so are the human costs. The toll this kind of situation can take on a company and its employees and its customers is real and lasting.?
The Expeditors / iRobot case won’t be settled until next year, but new attacks are happening every day. Hopefully you and your suppliers won’t be affected. Just remember that hope is not a strategy. Cyber security is a fight that procurement needs to play a strong, active, and ongoing role in - starting right now.
Click here to read other editions of the Dial P for Procurement newsletter and to subscribe!
Senior Corporate Sourcing Recruiter AI, IT, IS, HR, Benefits, Finance, Treasury, Voice, SaaS, Robotics, Electric Driver-less Cars, Banking, e-Healthcare, & eCommerce.
1 年Kelly Barner thank you unpacking and sharing these stories!
Helping freight & logistics business owners with their finances.
1 年Kelly, I wonder if incidents like this will lead to contracts including language around this. E.g., if a 3PL is impacted by a verified cyber attack, then there is a planned mitigation vs. having to go to court to sort it out.
Founder | Board & Strategy Advisor | Globally Recognized Risk & Supply Chain Expert | Author | World Economic Forum GRN| Founding member of USDOC Supply Chain Competitiveness | Firefighter | OEM
1 年Kelly Barner informative piece and as you mention, the tip of the iceberg. The impact to the health care and life sciences from a patient safety perspective is unacceptable. Thank you for sharing!!
Digital Marketing
1 年It’s happening in all industries. One of the music industry’s best selling artists, Jimmy Chamberlin The Smashing Pumpkins, had to pay a ransom to avoid their 3 part album from being leaked. This hacker had also had master files to some of the worlds most valuable published songs. I recommend preparing for the new Web 3.0. Great article Kelly Barner, keep them coming. We enjoy the learnings.