In-brief: FedEx said its TNT subsidiary was still relying on manual processes more than a week after it was ravaged by the Petya wiper malware. The attack will materially impact the company’s financial performance in 2018, FedEx said in a filing with the SEC.
Federal Express (or FedEx) is the latest US firm to claim that the Petya malware outbreak caused material damages to the company that require disclosure to regulators and said its TNT subsidiary still relied on manual processes long after the outbreak.
In a filing with the Securities and Exchange Commission (SEC) dated July 5, FedEx said that the Petya infection at its TNT Express subsidiary in June 2017, “significantly affected” the company’s worldwide operations. FedEx said that it is “not yet able to determine the full extent of its impact, including the impact on our results of operations and financial condition.” However the likely financial impact will be material to the company, according to the 10-K annual report.
FedEx acquired TNT-Express NV of the Netherlands for $4.8 billion in May, 2016. The company was the fourth largest global parcel delivery company and did business in the Ukraine. According to the filing, TNT used the MEDoc financial software. A compromised update for that software was used to initially seed the Petya malware, which also spread using the Eternal Blue exploit for a known vulnerability in the Windows operating system.
The 10-K filing provides further information on the extent of the outbreak, which prompted FedEx to temporarily halt trading of its stock.
FedEx said that the TNT Express “depots, hubs and facilities” are operational and “most TNT services” are available as of the filing date. That sounds reassuring, but the 10-K also paints a picture of a company hobbled by a destructive outbreak. FedEx acknowledged that the company’s IT team is still trying to restore “remaining operational systems” as well as “finance, back-office and secondary business systems.”
Customers are still experiencing “widespread service delays,” the company acknowledged. At the time of the filing, in early July, “manual processes” were being used to “facilitate a significant portion of TNT Express operations and customer service functions,” FedEx acknowledged. In the meantime, FedEx is transporting TNT Express packages using the (unaffected) FedEx Express network to alleviate the delays.
The company said it “cannot estimate when TNT Express services will be fully restored,” nor can the company estimate how long it will take to restore the systems infected with Petya – if they are ever restored. “It is reasonably possible that TNT Express will be unable to fully restore all of the affected systems and recover all of the critical business data that was encrypted.” Among the likely, material impacts identified by FedEx are the loss of revenue due to permanent customer loss, the cost of remediation, additional outlays for security products to prevent future attacks and costs to make customers whole or retain business. FedEx did not rule out costs from stolen data as well, though it claims not to have any evidence that company or customer data was stolen. but will discover through the remediation process.
The cost to FedEx is still unclear. In its regulatory filing, FedEx said that Petya was likely to add to the budgeted costs of integrating its TNT Express acquisition. Those were estimated to be $800 million over four years, with $275 million of those costs occurring during 2018. FedEx said it is continuing to refine those integration plans, however, “particularly in light of the recent cyber attack at TNT Express. Watching that $800 million number will be a good way to measure the additional cost imposed by Petya. Whatever the case, the impact of the Petya outbreak may require the company to make require disclosures in future reporting periods, the company said.
SEC regulations require firms to report about cyber attacks when they have a “material impact” on the company. However, victim firms are left to decide what the definition of “material” is, and such disclosures had been rare. Petya may have changed that.
FedEx is just the latest firm to warn that its finances will be impacted by the Petya outbreak. International snack and candy maker Mondelez of Deerfield, Illinois said on July 6th that the cyber attacks of June 27 will erase 3% from the company’s second quarter growth. “Given the timing of this significant global attack, despite our best efforts, we experienced disruption in our ability to ship and invoice during the last four days of our second quarter,” the company said. The company said it is “still assessing the full financial impact of this event, in addition to performing our normal quarter-end financial close process.”
Also in early July, the Financial Times reported that Reckitt Benckiser, a maker of consumer products like Nurofen and Durex condoms said that it expected losses of £110m ($142m), a second quarter sales drop of 2% compared to a year earlier and a 1 percent hit to its expected annual revenue growth. The company said in a statement that it was “making good progress in getting key applications and systems back on track” but that the full cost of the attack wasn’t yet known. The company has stated publicly that Petya affected its ability to manufacture and distribute product to customers in some 60 countries in which it operates.