Pharmaceutical giant Merck & Co says a recent cyber-attack resulted in production shutdowns and cost it around $135m in lost revenue.
Merck – known as MSD outside North America – said the attack had a particular impact on its ability to supply its human papillomavirus (HPV) vaccine Gardasil, used to prevent cervical and related cancers.
The cost of implementing remediation measures in the wake of the attack also caused related costs of $170m, pegging back its gross margin in the third quarter, and forced Merck to borrow $240m-worth of Gardasil from US government stockpiles. And the costs look set to be repeated in the fourth quarter, driving up the impact even further.
Merck revealed it was hit by a massive cyber-attack in June, just a few weeks after a senior executive at the firm revealed the vulnerability of the sector at a US government committee meeting, pointing to more than a million health records exposed by breaches in recent years.
It said after the event that “on June 27 the company experienced a network cyber-attack that led to a disruption of its worldwide operations, including manufacturing, research and sales operations,” and affected both finish product and active pharmaceutical ingredient (API) manufacturing.
Other companies affected by the attack included UK consumer healthcare company Reckitt Benckiser, Cadbury chocolate manufacturer (part of Mondelez, formally Kraft Foods), freight logistics company FedEx, Danish shipping company AP Moller-Maersk, German mail and logistics firm Deutsche Post DHL Group and retailer Metro AG. The costs of these has run into billions of dollars, with Maersk alone estimating that the company took a hit of $200m-$300m.
A recent report from McAfee Labs said that in the first quarter of 2017 cyber-attacks directed at private healthcare organizations outstripped those against public organizations, with most of these attributed to the WannaCry and NotPetya ransomware attacks.
Social media users were also increasingly targeted though attacks such as the Faceliker Trojan that hijacks Facebook accounts, it said.
It is apparent that many companies are unprepared for the threat of this type of ransomware attack. A recent ControlScan report suggested that nearly half (49 per cent) do not employ people with the necessary cybersecurity skills and/or training, and only 39 per cent are using an advanced endpoint security solution to combat ransomware.
The August report also found that about one-quarter of firms (23 per cent) admit they have no idea how long it would take their organization to recover from a cyber-attack, and just 10 per cent use threat intelligence to educate their workforce about the risks.