“Your plant might be fully functional, you might be able to make whatever it is that you’re supposed to make, but because a ransomware attack has taken out your entire ordering and billing system, you don’t know where any of the stuff that you’re making is supposed to go.”
A review of SEC filings of top food companies found that virtually all of them listed cyberattacks and ransomware incidents as potential risks that could not only jeopardize their operations but also open them up to class action lawsuits.
“At this stage of the game, it’s impossible to ask any company to be bulletproof against cyberattacks—that’s a standard nobody can meet right now,” Streng said. “Really, a more accurate measure of somebody’s cybersecurity capacity is how well they can contain an attack and limit the damage that happens.”
Ironically, then, JBS’s swift recovery could suggest that some big food processors are actually prepared to withstand significant breaches and ransomware attacks. “I feel a little bit better that a cyberattack couldn’t grind the whole food supply chain to a halt,” Streng said.
Then he added with a laugh, “That could change tomorrow.”
Here are some of the major food industry cyberattacks you might’ve missed:
Back in 2017, multinational conglomerate Mondelez was the subject of a whopper of a cyberattack, part of a global ransomware breach that impacted hundreds of companies. The attack didn’t have a specific target; rather, it infected many users at once when they downloaded a routine update. Mondelez computer systems froze, and warehouses filled with a backlog of Oreos and Ritz crackers. Cadbury eggs and Philadelphia cream cheese languished on shelves. Employee laptops froze.
The total financial hit, according to court documents later reviewed by The New York Times, was over $100 million. Worse, the company’s insurer refused to pay, citing a “war exclusion” clause in the contract.
Fast forward to March of 2021, and brewing giant MolsonCoors Beverage Company revealed its operations had been affected by a “cyber security incident,” which ground beer production and shipment processes to a brief halt. In its most recent quarterly SEC filing, the company disclosed that the attack-related costs totaled at least $2 million, and that it expects to report further losses in the coming quarter.
A malware attack on point-of-sale systems at more than 1,000 Wendy’s locations exposed the credit card information of the fast food chain’s customers. The hackers accessed the data starting in late fall of 2015, but Wendy’s did not report the breach until February of 2016. Three years later, the company announced a $50 million settlement with the banks of affected customers. It was an expensive attack: the settlement amounted to about $148 per compromised record, Restaurant Dive reported. Other restaurant chains including Huddle House, Caribou Coffee, Dunkin’, and Sonic have been the target of similar attacks.
In November 2020, Campari Group, a liquor conglomerate that owns bands including Aperol, Grand Marnier, SKYY Vodka, and (naturally) Campari, was hit with a ransomware hack by a group demanding $15 million. The hackers used compromised Facebook accounts to publish Facebook ads titled “Security breach of the Campari Group network” calling the company’s press release about the breach a “big fat lie.” Experts suspected the Facebook ads were meant to pressure Campari executives into cooperating. The ads made more than 7,000 impressions before they were taken down for violating Facebook guidelines that prohibit the promotion of criminal activities.
Arizona Beverages, the company that makes Arizona Iced Tea, was the target of a 2019 ransomware attack that wiped hundreds of computers and shut down sales for days, TechCrunch reported. The FBI had warned the company of the existence of the malware infection weeks before the attack, and it was believed to have been caused by an email attachment. Arizona Beverages is not a publicly traded company and has not disclosed the full cost of the breach.
MGP Ingredients might not be a household name—but it’s a major, publicly traded distillery that supplies bourbon, gin, rum, and other spirits to liquor manufacturers across the country and globally. (It’s the parent company of infamous vodka brand Everclear.) In May 2020, the company suffered from a ransomware attack at one of its headquarters in Atchison, Kansas, cutting into its profits by $1.7 million that quarter. According to a recent SEC filing, the company said “there is no evidence that any sensitive or confidential data was improperly accessed or extracted from the network,” and that it was able to recover a little over a third of its losses through insurance.