During a call on Tuesday to discuss third-quarter earnings, AP Moller-Maersk executives brought up topics typically associated with operating Maersk Line, the world’s largest container shipping line. CEO Soren Skou talked about the growing demand for container shipping while CFO Jakob Stausholm mentioned Maersk’s major capital expenditures for the quarter: the receiving of five new vessels.
But both also discussed an issue that’s not usually equated with moving goods across the ocean: June’s NotPetya attack. The malware had infected Maersk, taking computers offline for weeks and preventing the company from communicating with customers. Ultimately, NotPetya impacted Maersk’s business operations and earnings, which is why C-suite executives were discussing cybersecurity during a call that’s typically about revenue.
For Maersk, though, NotPetya was a revenue issue as well as a cybersecurity one. The attack cost the company between $250 million and $300 million in third-quarter revenue, Skou told analysts on the call, adding that most of that revenue was from lost business in July and August.
“The quarter was heavily impacted by the cyberattack, which took the form of lower volumes as customers diverted some of their bookings during the initial phase of the cyberattacks away from Maersk,” said Chief Commercial Officer Vincent Clerc.
And NotPetya’s fiscal impact wasn’t limited to just Maersk’s third quarter. During the call, Skou said that Maersk would adjust down its profit expectations for the year, attributing the revised guidance to “continuing higher cost to recover services and reliability after the cyberattack.” Instead of grossing more than $1 billion this fiscal year, Maersk will make “around” $1 billion, said Skou, who didn’t provide exact figures.
“Our operations were significantly hampered in the third quarter by the cyberattack, and we are certainly not pleased with what we were able to deliver to the clients. We're working very hard on restoring reliability of the network,” said COO Soren Toft.
Maersk isn’t alone. Many of the organizations that were infected by NotPetya saw their earnings take a hit as a result of the attack. To date, NotPetya has cost organizations $1.2 billion in combined quarterly and yearly revenue, according to calculations Cybereason made using figures from quarterly earning and investor statements.
Other companies whose executives have discussed NotPetya during earnings calls include FedEx (its TNT subsidiary lost $300 million in quarterly earnings), software vendor Nuance Communications ($15.4 million in quarterly revenue), Mondelez International ($150 million in quarterly revenue) and U.K. consumer goods company Reckitt Benckiser (an estimated $129 million in yearly revenue). We used $275 million for Maersk, which warned investors in August that it would lose between $200 million and $300 million in third-quarter revenue as a result of NotPetya. This analysis offers deeper insight into how we assigned a price tag of $1.2 billion to the NotPetya attack.
The goal isn’t to shame or embarrass the victims by attaching dollar amounts to the attack. Instead, we’re hoping to show that destructive, non-targeted attacks like NotPetya can seriously harm any organization and that cybersecurity incidents can hit the bottom line.
Companies have long been knocked offline by cyberattacks that ultimately ate into revenue. Home Depot, for example, incurred $263 million in expenses following the 2014 data breach while the 2013 Target data breach cost the retailer $291 million. But those were targeted attacks. Criminals specifically singled out those organizations.
NotPetya, by comparison, was an untargeted campaign without a specific victim. Many of the impacted companies were infected after downloading a routine update for an accounting application that, unfortunately, attackers had tainted. There was no elaborate social engineering scheme or man-in-the-middle attack. Legitimate software was updated, a routine task that companies and employees carry out on a daily basis.
And NotPetya wasn’t an isolated incident.
Over the last two decades, there has been an increase in the quantity and specificity in destructive cyberattacks like NotPetya. Unlike other attacks, these campaigns are designed to destroy data and IT assets. And despite the level of damage caused, they weren’t carried out with advanced methods. Instead, attackers rely on relatively unsophisticated but highly effective tools that are easy to code and execute. Take NotPetya. While initial reports classified the program as ransomware, it was later determined that NotPetya’s behavior more closely matched a boot record wiper, which is a very basic technique.
Even though the majority of cyber incidents are still motivated by espionage or criminal activity, the increased use of destructive tools is an alarming and growing trend. The private sector can’t dismiss the security repercussions of this development. The fiscal fallout from destructive attacks like NotPetya has made information security an even more important issue for C-level executives, who will likely continue to discuss security incidents during earnings calls.
Learn how Cybereason protects organizations from threats like NotPetya