Horror Stories: Million Dollar Malware Losses

by Sarah Harvey / October 2nd, 2018

What would it feel like to show up to work and discover your organization has been hit by a malware attack? Servers, phones, email, backups – they’re all down. You must put business continuity training into action, contact your clients, contact your vendors, control the news cycle, and calm the nerves of your team. Becoming a victim of a malware attack is most executives’ cybersecurity nightmare, and one that became a reality for Nuance Communications.

NotPetya and Nuance: What Happened?

In June 2017, the world experienced the destruction of NotPetya. Both the United States and the United Kingdom attributed this destructive malware attack to Russian military, specifically targeted at the Ukraine but spread worldwide. The White House stated, “It was part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict.” The same day, the UK’s Foreign Office Minister said, “The attack showed a continued disregard for Ukrainian sovereignty. Its reckless release disrupted organizations across Europe costing hundreds of millions of pounds.”

Nuance Communications, a computer software technology corporation, fell victim to NotPetya but has been able to overcome the 5 weeks of recovery and $98 million loss. In their 10-Q filing with the SEC, Nuance explained how the NotPetya attack compromised systems used by their healthcare customers, specifically with transcription services and their imaging division. The financial hit was massive. Nuance stated, “For fiscal year 2017, we estimate that we lost approximately $68.0 million in revenues, primarily in our Healthcare segment, due to the service disruption and the reserves we established for customer refund credits. Additionally, we incurred incremental costs of approximately $24.0 million for fiscal year 2017 as a result of our remediation and restoration efforts, as well as incremental amortization expenses. Although the direct effects of the Malware Incident were remediated during fiscal year 2017, the Malware Incident had a continued effect on our results of operations in the first quarter of fiscal year 2018 and our outlook for the remainder of fiscal year 2018 and beyond reflects both the residual effects of the incident and the additional resources we will need to invest on an ongoing basis to continuously enhance information security.”

Lessons Learned from Nuance

Despite the financial hit, the publicity, and the mountain of recovery that Nuance had to climb, the organization has overcome the NotPetya attack. We see a few key areas to learn from Nuance’s mistakes and responses.

Vendor Compliance Management – NotPetya wasn’t targeting Nuance. Like so many other cybersecurity attacks, NotPetya’s attack vector was vendors. When one vendor is hit, any organization that they provide services to is susceptible. Nuance had a 15-year relationship with a Ukrainian vendor who fell victim to the malware attack. In A.P. Moller-Maersk’s case, the Danish shipping conglomerate reported that NotPetya was distributed to their organization through a Ukrainian accounting software called MeDoc. The consequences of NotPetya have once again proven that vendor compliance management is an absolutely integral part of any cybersecurity risk management program.
Business Continuity and Disaster Recovery Plans – Nuance quickly recognized the cruciality of effective and implemented Business Continuity and Disaster Recovery Plans. When their servers and systems went down, employees were left with essentially no external communication and minimal internal communication – no email, no office phones, no access to information held in the cloud, and no physical security mechanisms. Before the NotPetya attack, I bet Nuance employees never imagined they would ever have to function without email or phones, let alone without the cloud. Business Continuity and Disaster Recovery plans can save your business when something as destructive as malware strikes.
Leadership Engagement – When the attack hit, Nuance executives and management immediately recognized that this was not just a security issue. Every member of the organization was impacted, but leadership’s involvement in recovery was essential. Leadership was needed to execute the Business Continuity and Disaster Recovery Plan, strategically weigh options, and keep the entire company calm and motivated.
Response – Sharing what happened in a transparent way was key in re-building trust with clients, and you can see this in their updates to healthcare customers. Fortunately, Nuance did have the advantage of being able to report that no PHI was compromised and that the attack was declared as a security incident and not a breach. Since the malware attack, Nuance has taken their recovery and corrective actions seriously. If money talks, then Nuance’s security spending speaks volumes; $35 million of their $100 million 2018 budget was dedicated to security.

How would a cybersecurity attack impact your organization’s mission? For Nuance, they had to bear with the fact that patients were negatively impacted by this attack. How would a cybersecurity attack personally impact your job? Think of how Nuance’s CTO and CIO felt when they were informed of the NotPetya attack. Then, think of how Nuance’s CEO, CFO, legal team, healthcare division, and marketing team felt knowing they would all play a role in the NotPetya recovery. If you want to develop a better Business Continuity plan, learn more about the types of cybersecurity attacks that threaten your organization, or need to implement a vendor compliance management program, KirkpatrickPrice wants to help. Contact us today.