Gardasil Dose

NotPetya Infection Left Merck Short of Key HPV Vaccine

The NotPetya malware infection shut down pharmaceutical giant Merck’s production of the pediatric vaccine GARDASIL last June, forcing the company to borrow the drug from a stockpile maintained by the U.S. Centers for Disease Control and Prevention to meet demand.

The NotPetya malware infection shut down pharmaceutical giant Merck & Co.’s production of the pediatric vaccine GARDASIL last June, forcing the company to borrow the drug from a stockpile maintained by the U.S. Centers for Disease Control and Prevention to meet demand.

The anecdote was contained in a quarterly filing by Merck with the U.S. Securities and Exchange Commission (SEC) on Friday. That filing also showed that the company continues to suffer financial fallout from the outbreak of the NotPetya malware in June, reducing both sales and revenue for the quarter by hundreds of millions of dollars.

Gardasil Dose
Pharmaceutical giant Merck said on Friday that the NotPetya malware outbreak in June halted production and left it short of doses of Gardasil, a critical vaccine to prevent HPV. (Image courtesy of Merck.)

In its quarterly 8-k filing, Merck said that revenue for the quarter was “unfavorably impacted” by around $135 million due to “lost sales in certain markets related to the cyber-attack.” Sales in the third quarter of 2017 were also reduced by around $240 million, which Merck chalked up to production shutdowns resulting from NotPetya.

In a chilling insight into the extent of the disruption the malware caused to Merck’s operations, the company disclosed that part of its quarterly losses were linked to the interruption of its production of GARDASIL, a vaccine used to prevent Human Papillomavirus (HPV) which is linked to certain cancers and other diseases. To make up for what it described as “overall higher demand than originally planned,” Merck was forced to borrow the vaccine from a stockpile maintained by the U.S. Centers for Disease Control (CDC), the company said.

[Read Security Ledger’s other NotPetya coverage here.]

In an e-mail statement, Merck spokeswoman Tracy Ogden said that the company would not comment on how long GARDASIL production was interrupted or how much of the drug the company borrowed from the CDC. She said Merck was “using the cyber incident to make improvements in our IT structure.”

The CDC did not respond to a request for comment prior to publication.

Merck is just one of a number of high-profile, publicly traded companies that was impacted by NotPetya, a destructive malicious software program that spread by exploiting a known Microsoft Windows vulnerability, and through malicious software updates to MeDocs, a Ukraine-based financial software application. In September, for example, FedEx disclosed that the NotPetya ransomware outbreak in late June cost it an estimated $300 million dollars and forced the company to miss its fiscal first quarter earnings. Worldwide operations of  that company’s TNT Express division were “significantly affected during the first quarter by the June 27 NotPetya cyber attack,” the company reported.

Also, in July international snack and candy maker Mondelez of Deerfield, Illinois said that the cyber attacks of June 27 will erase 3% from the company’s second quarter growth. Also, Reckitt Benckiser, a maker of consumer products like Nurofen and Durex condoms said that it expected losses of £110m ($142m), a second quarter sales drop of 2% compared to a year earlier and a 1 percent hit to its expected annual revenue growth.