Shipping Company Maersk Says June Cyberattack Could Cost It Up To $300 Million (cnbc.com)

← Back to Stories (view on slashdot.org)

Shipping Company Maersk Says June Cyberattack Could Cost It Up To $300 Million (cnbc.com)

Posted by msmash on Wednesday August 16, 2017 @08:03AM from the aftermath dept.

An anonymous reader shares an article: Container shipping company A.P. Moller Maersk on Tuesday said it expects that computer issues triggered by the NotPetya cyberattack will cost the company as much as $300 million in lost revenue. "In the last week of the [second] quarter we were hit by a cyber-attack, which mainly impacted Maersk Line, APM Terminals and Damco," Maersk CEO Soren Skou said in a statement. "Business volumes were negatively affected for a couple of weeks in July and as a consequence, our Q3 results will be impacted. We expect that the cyber-attack will impact results negatively by USD 200-300m." Maersk Line was able to take bookings from existing customers two days after the attack, and things gradually got back to normal over the following week, the company said. It said it did not lose third-party data as a result of the attack.

43 comments

Min score:

Reason:

Sort:

Cost of not doing ... by CaptainDork · 2017-08-16 08:08 · Score: 4, Insightful

... business.
Pay now for system security, or pay later.

--
It little behooves the best of us to comment on the rest of us.
1. Re:Cost of not doing ... by MattRyanUK · 2017-08-16 08:24 · Score: 1
  
  Will C level execs who skimped on IT/Infosec be paying the price?
2. Re:Cost of not doing ... by mfh · 2017-08-16 08:25 · Score: 1
  
  Nah they have important vacations and yachts to enjoy on the golden parachute for all their hard work. :S
  
  --
  The dangers of knowledge trigger emotional distress in human beings.
3. Re:Cost of not doing ... by Anonymous Coward · 2017-08-16 08:47 · Score: 0
  
  For many businesses, it pays to roll the dice and hope for the best. Sure, in this instance, it didn't work out well, but not sure it was a total bust either. While $300 million is a huge number, it's all relative to the size and scope of the business. It's possible cost of newest computers, latest software, more redundancy, more security, better backups, etc could amount to many hundreds of millions.
  Often a bigger issue is loss of goodwill and business to competitors. For businesses with little competition, skimping on IT may payoff in the long-run, despite occasional periods of downtime. Prime example is the major U.S. airlines. When they experience system outages, many travelers, due to lack of competition and/or viable alternatives (ie. days on a ship verses a day or less flying across the open ocean), they have little choice other than lump it and wait it out. Many tolerate the lack of service and occasional glitches as the trade-off of super-discounted airfares.
  Back to the topic at hand, I'd suspect many businesses lose more to faulty computer and software upgrades than to hackers. Hershey is a case and point. About 20 years ago they upgraded their systems and it went bad. Cost them upwards of a hundred million dollars; loss of sales to competitors who could still ship product. Some theorize Target Canada failed, in some part, due to software issues / poor implementation, since they ran a different system than U.S. Target stores.
4. Re:Cost of not doing ... by Applehu+Akbar · 2017-08-16 08:54 · Score: 1
  
  And they will fire the frontline IT people who requested a budget for preventing attacks like this.
5. Re:Cost of not doing ... by CaptainDork · 2017-08-16 09:08 · Score: 1
  
  I recommended infosec solutions my entire career and business did the risk analysis and said, "No."
  Shortly after I retired (not making this up), they got hit with ransomware.
  They had enough backup to recover.
  Day before yesterday, I was talking to one of the partners at the gym about shit and he mentioned that the firm bought "ransomware insurance."
  They need to fire the dickhead who still thinks there are nude photos out there of Anna Kournikova.
  
  --
  It little behooves the best of us to comment on the rest of us.
6. Re:Cost of not doing ... by HornWumpus · 2017-08-16 09:50 · Score: 1
  
  Target Canada's failure is well documented. Software/bad data (SAS) was the proximal cause, _incompetent_ senior management was the root. When you've got your pecker in your sites, you need to admit the problem, not pull the trigger. Making those kind of decisions is supposed to be why they 'make the big bucks'.
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
7. Re:Cost of not doing ... by gweihir · 2017-08-17 03:35 · Score: 1
  
  Management by bean-counting can get pretty expensive...
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Damn Somali pirates by Anonymous Coward · 2017-08-16 08:09 · Score: 1

They will stop at nothing!
I'd be interested by bobstreo · 2017-08-16 08:26 · Score: 1

In whether they had insurance for cyber attacks, and if they were covered.
A chunk of $300 Million would buy a lot of IT talent, for the next time...
1. Re:I'd be interested by HornWumpus · 2017-08-16 08:41 · Score: 1
  
  In the long run, insurance companies/rates will be the stick that forces companies to get this right.
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
2. Re:I'd be interested by zlives · 2017-08-16 08:57 · Score: 1
  
  for right now insurance is way cheaper than actual competent IT.
3. Re:I'd be interested by HornWumpus · 2017-08-16 09:35 · Score: 1
  
  Because insurance companies are stupid? A few 0.3 billion dollar payouts will fix that. In fact, they are the _only_ thing that will fix it.
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
4. Re:I'd be interested by CanadianMacFan · 2017-08-16 10:17 · Score: 1
  
  Do you think that they are just going to hand over the cheque without going through every bit of their business in order to find the tiniest excuse not to pay out? All it is going to take is for an insurance company to find a reason one time not to pay out on a claim and you are going to see a lot of companies start scrambling to see how secure they are. But there will always be a few that will have their head stuck in the sand no matter what and won't do a thing.
5. Re:I'd be interested by HornWumpus · 2017-08-16 10:33 · Score: 1
  
  I know how insurance companies operate? The only thing they do on time and in total is collect premiums.
  But they do have a clue about assessing risk, not a big old clue when it comes to IT, but that will change.
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
6. Re:I'd be interested by zlives · 2017-08-16 11:06 · Score: 1
  
  oh no no, i said "claim" and when the insurance company (perhaps rightfully) doesn't pay because of negligence on insured's part... then it goes on the tax write off. so no harm done, except most employees got paid for 2 days to sit around.
7. Re:I'd be interested by HornWumpus · 2017-08-16 12:15 · Score: 1
  
  Tax write offs reduce losses by the marginal tax rate. No harm done?
  Bet the parent company is incorporated in Monaco or someplace equally crooked.
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
True Price of by Anonymous Coward · 2017-08-16 08:27 · Score: 2, Insightful

WINDOWS AND MS OFFICE.
Just patch it. by ErikTheRed · 2017-08-16 08:42 · Score: 3, Informative

Maersk claimed that “updates and patches applied to both the Windows systems and antivirus were not an effective protection.” Garbage. The patches against this attack were released in mid-March and April. They got hit at the end of June. There's no good reason to delay patching endpoints for more than a week at most, Most problematic patches for mainstream operating systems are pulled within 24-48 hours, so even three days is fairly conservative now.

--

Help save the critically endangered Blue Iguana
1. Re:Just patch it. by martinX · 2017-08-16 09:44 · Score: 1
  
  Sometimes the prevention comes with a bit of pain...
  ---
  Queensland Health’s electronic medical records system hit by “very serious ransomware attack”
  Janelle Miles, Kara Vickery, Anthony Templeton, The Courier-Mail
  May 25, 2017 2:04pm
  Subscriber only
  Cameron Dick OP-ED: Technological advances from eHealth strategy
  MOVES to protect Queensland Health computer systems from an international cybersecurity attack are believed responsible for a failure within the state’s electronic medical records system in five key public hospitals.
  The eHealth failure, described in an internal email obtained by The Courier-Mail as a “major incident”, resulted in Cairns Hospital yesterday declaring a Code Yellow, for an “internal emergency”.
  Health Minister Cameron Dick said no surgeries had been impacted but 22 outpatient appointments had been delayed.
  “For all intents and purposes Queensland hospitals are operating like it is business as usual,” he said.
  But ward patients at the five affected hospitals have been put back on to a system of paper records.
  eHealth Queensland chief executive Dr Richard Ashby said about 500 doctors and nurses has been unable to log in at the Princess Alexandra Hospital.
  “This is a hiccup and it happened because we took extra care to defend against the ransomware attack that occurred around the world on the 13th of May,” he said.
  The issues first became apparent on Tuesday around noon.
  Mr Dick had earlier said the computer failure was most likely as a result of Queensland Health’s efforts in fending off “a very serious ransomware attack” that impacted government agencies, private businesses and individuals worldwide last week.
  The computer failure — that Queensland Health Minister Cameron Dick will tell Parliament of today — is most likely as a result of his department’s efforts in fending off “a very serious ransomware attack”.
  “Over the course of that weekend as part of protecting our systems from cyber-attack, a series of security patches provided by software owners such as Microsoft, Cerner and Citrix were loaded to further protect Queensland Health systems from attack,” Mr Dick said.
  “Yesterday I received advice from the Chief Executive of eHealth Queensland, Dr Richard Ashby, that while those patches have protected the integrity of our systems and data, it appears these protections may be making logging on and off the integrated electronic medical record system difficult for some users.”
  ----
  Patches can be painful :-(
  
  --
  When they came for the communists, I said "He's next door. Take him away. Goddam commies."
2. Re:Just patch it. by Anonymous Coward · 2017-08-16 09:51 · Score: 0
  
  From https://threatpost.com/new-petya-distribution-vectors-bubbling-to-surface/126577/
  "Unlike WannaCry, which had worming capabilities that allowed it to spread rapidly across the internet, this attack spreads itself only locally using a pair of Windows utilities, PSEXEC and WMIC, to do so, allowing it to infect machines patched against the vulnerabilities exploited by EternalBlue."
3. Re:Just patch it. by sdw · 2017-08-16 11:08 · Score: 1
  
  What idiot organization with 200-300M to lose in 2 days uses Windows for anything? With a couple percent of that, they could create parallel implementations in two alternate operating systems and networks to be far more immune to everything.
  
  --
  Stephen D. Williams
4. Re:Just patch it. by thegarbz · 2017-08-16 12:09 · Score: 1
  
  There's no good reason to delay patching endpoints for more than a week at most
  I see you've never worked in a multi-national company that had to support many business critical computer applications across many different configurations across the globe.
  
  Most problematic patches for mainstream operating systems are pulled within 24-48 hours
  All problematic patches are never tested against the majority of business critical software. This is why things get tested and why it takes time. It's also why we maintain a list of black listed patches, until either MS or the vendor affected resolves them.
5. Re: Just patch it. by KGIII · 2017-08-17 00:45 · Score: 1
  
  If these applications are business critical, shouldn't they be set up in a way that keeps them from being harmed by malware?
  For example, my company often worked with data that didn't belong to us and was considered sensitive. We maintained a second network that never touched the public network, or computers that could connect to the public network. That was business critical.
  Is that possible?
  
  --
  "So long and thanks for all the fish."
6. Re: Just patch it. by Anonymous Coward · 2017-08-17 03:27 · Score: 0
  
  Let's just say, no. Most companies only see the bill and don't see the cost/benefit, like everyone else on this thread is saying.
  Also there's still risk... a second network like that leaves you feeling secure, which might leave you running Windows 95 on the internal private network because you feel they'll never be at risk. Then someone brings in a USB key and your internal network is trashed.
  But if you want to upgrade those systems and keep them patched, then you need a test environment and time to test the business systems, like the GP explained.
7. Re: Just patch it. by KGIII · 2017-08-17 03:40 · Score: 1
  
  That's why you disable USB ports. You can still have test systems - we did. Yes, they were more costly, but the cost of data exfiltration would have been even higher, as would exposure to malware that hindered the ability to do work.
  Hmm...
  
  --
  "So long and thanks for all the fish."
8. Re: Just patch it. by thegarbz · 2017-08-17 19:31 · Score: 1
  
  For example, my company often worked with data that didn't belong to us and was considered sensitive. We maintained a second network that never touched the public network, or computers that could connect to the public network. That was business critical.
  Nothing in the article said all of Maersk got taken down. Maybe it was just the business critical part that handled external data.
  The only other thing I know about it is that Maersk was the cause of the infection at the Port of Rotterdam. Though the Port had pretty damn good business continuity and kept processing ships on pen and paper.
and yet another Fortune 500 business... by Indy1 · 2017-08-16 08:52 · Score: 1

learns a hard lesson on cutting corners in IT....
My guess is that the C level idiots will just toss a huge amount of money at some overpriced consulting firm like IBM to make themselves feel better, and not really fix anything.

--
Lawyers, MBA's, RIAA? A jedi fears not these things!
1. Re:and yet another Fortune 500 business... by Anonymous Coward · 2017-08-16 09:21 · Score: 0
  
  > learns a hard lesson on cutting corners in IT....
  Did you really mean to imply the responsible executives will reduce their own bonuses because of this?
1.2 giggawatts by zlives · 2017-08-16 08:56 · Score: 1

ummm... this statement is for their insurance claim, they pay those and roll the dice on actual security.
1. Re:1.2 giggawatts by CaptainDork · 2017-08-16 09:09 · Score: 1
  
  What the world needs now is sweet litigation.
  
  --
  It little behooves the best of us to comment on the rest of us.
2. Re:1.2 giggawatts by ShanghaiBill · 2017-08-16 09:59 · Score: 1
  
  ummm... this statement is for their insurance claim
  Which gives them an incentive to inflate the number. Their order taking was down for two days, but container shipping is often booked weeks in advance, so I doubt if this really cost them much. Their actual losses are likely closer to $0 than to $300M.
3. Re:1.2 giggawatts by Blue23 · 2017-08-18 04:04 · Score: 1
  
  My company deals with them, and what I've heard Nth-hand is that they couldn't unload or load ships in dock and that there was a lot of port costs associated with that as well. My guess would be not able to get the customs documentation and inventory and the like.
  
  --
  LITTLE GIRL: But which cookie will you eat FIRST? C. MONSTER: Me think you have misconception of cookie-eating process.
Outsourcing regrets? by Anonymous Coward · 2017-08-16 08:59 · Score: 0

They apparently outsourced their IT to HP back in 2012. Are they still using them? How much money did it save them? Was it worth it?
1. Re:Outsourcing regrets? by HornWumpus · 2017-08-16 09:41 · Score: 1
  
  HP enterprise is just renamed EDS.
  The data suggests that EDS marketing gives AWSOME head. They suck at computers. I guarantee it cost them money even before this.
  How they still get in the door to make their pitches escapes me. Find their client list and short the stocks/buy out of the money puts.
  IT incident insurance should 10x the premium for EDS clients...100x for Tata and Infosys.
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
not surprised by Anonymous Coward · 2017-08-16 09:57 · Score: 0

I used to work in IT at one of Maersk's primary competitors. Our IT shop was a whopping 6 people. 90% of our time was spent doing desktop support, but we also managed the container allocation servers, which at that time (15 years ago) were already ancient DECs.
At one point, we did a server move that was supposed to take 10 minutes, and in the process, the power socket on one of the servers broke, meaning we were completely down.
Luckily, I was able to jury rig a socket from a pc onto the server with some quick soldering, so we were only down for about half an hour, but in a conversation with the CEO, he let me know that we stood to lose millions of dollars a day if we remained down. The volume these container leasing companies do on a daiky basis is staggering.
Shortly thereafter, the linux conversion effort ramped up quite a bit.
Ho hum, another container exploit by Drunkulus · 2017-08-16 10:01 · Score: 1

Another data point for the case that containers are inherently insecure. And this is Maersk, an actual business that has been working with container technology since the 60's.
If anyone is interested... by __aaclcg7560 · 2017-08-16 10:18 · Score: 1

There's a book on my reading list that I haven't read yet (pay attention, trolls), about the history of shipping containers: "Ninety Percent of Everything: Inside Shipping, the Invisible Industry That Puts Clothes on Your Back, Gas in Your Car, and Food on Your Plate" by Rose George. The New York Times gave it a good review when it first came out, mentioning that the author traveled on a Maersk ship to research the book.
1. Re:If anyone is interested... by Anonymous Coward · 2017-08-16 11:29 · Score: 0
  
  Here is the free and clear Amazon link for "Ninety Percent of Everything: Inside Shipping, the Invisible Industry That Puts Clothes on Your Back, Gas in Your Car, and Food on Your Plate" .
  Don't feed the whale, folks. Don't let creimer make a few pennies off the death of your local economy!
Weigh the benefits by hashish · 2017-08-16 12:10 · Score: 1

Be interesting to know why they were not up to date with their Windows OS or the patches? Companies sometimes lag behind because of legacy systems. It would also be interesting to know what the cost of upgrading these systems are? Less than $300MIL?
hahahahaha by Reverend+Green · 2017-08-16 17:19 · Score: 1

What do you wanna bet they pay their programmers like shit, ignore known security issues, and devote zero resources to cleaning up technical debt? If so, serves them right.
Who gives a fuck about Maersk by Eunuchswear · 2017-08-18 01:58 · Score: 1

We want to know how badly Durex was affected.

--
Watch this Heartland Institute video