Supply Chain Attacks: How Much Do They Cost Suppliers?

When discussing supply chain attacks, the focus often lies on the perspective of the companies that utilize suppliers, highlighting potential risks for the company and measures such as third-party assessments and contractual agreements on cybersecurity requirements.

However, recent data sheds some light on the financial impact these attacks can have on suppliers themselves. To illustrate this point, we discuss several supply chain incidents and the associated financial losses experienced by the suppliers.*

SolarWinds (Q4-2020)

Hackers exploited SolarWinds' Orion software update to insert malicious code, creating a backdoor for unauthorized access. Around 18,000 customers of SolarWinds had applied the affected software update, the number of the exploited customers was, however, assumed to be smaller. [1]

Financial cost by Q3-23: $ 124.5m (~ 19% of the company’s yearly revenue).

It constitutes onetime costs to investigate and remediate the incident, lawsuits, including settlement costs, legal and professional fees. [2] It also includes the $26m to settle the lawsuit with shareholders who sued the company for misleading about the security posture. [3]

Accellion – FTA (Q4-2020)

The attackers used multiple zero-day exploits to compromise the legacy file transfer application (FTA) from Accellion. The consecutive data breach affected over 100 organizations worldwide. Protected health information (PHI) and personal identifiable information (PII) was breached. The exact size of the data breach is unknown, the lawsuit refers to 9.2m persons. [4]

Financial cost by Q3-23: $ 8.1m (~ 15% of the company’s yearly revenue).

The costs are related to the settlement of the data breach lawsuit. [5]

In the lawsuit Accellion was accused in the following matters: “Plaintiffs alleged, among other things, that Accellion:

(a) failed to implement and maintain adequate security practices to safeguard Plaintiffs’ and Class Members’ Personal Information;

(b) failed to prevent the Attacks and the FTA Data Breach;

(c) failed to detect security vulnerabilities leading to the Attacks and the FTA Data Breach;

and (d) failed to disclose that their data security practices were inadequate to safeguard Class Members’ Personal Information.” [5]

The fund of $8.1m will be used for credit monitoring and insurance services for the affected, cover documented losses and cash payments to the affected, cover attorney fees and administrative costs. [5]

Progress Software – MOVEit (Q2-2023)

Progress software discovered a critical vulnerability in its MOVEit managed file transfer (MFT) application that could lead to escalated privileges and potential unauthorized access to the environment. Around 2600 organizations have been affected by a ransomware organization known as CL0P. In their attack, CL0P threatened to publish stolen data if the ransom was not paid. [6]

Financial cost by Q3-23:  $ 8.13m.

Costs incurred for external cybersecurity experts and other incident response professionals. [7]

Estimated loss related to upcoming lawsuits: $ 100m (which would lead the total cost to be ~ 18% of the comapny’s yearly revenue). [6]

Conclusion

It's clear that the financial burden imposed on suppliers by cyber attacks is substantial, especially when considered in relation to their revenue. Wouldn't this realization serve as a compelling incentive for software vendors to prioritize their cybersecurity measures? Moreover, the costs associated with these attacks tend to accumulate over time. Our observations reveal that it often takes several years to fully resolve the financial ramifications of a cyberattack, particularly those involving lawsuits and regulatory penalties. These matters can drag on for extended periods before reaching a resolution.

Notes and References

*Even with our best effort given in the gathering of the financial loss data we cannot guarantee its completeness.

[1] B.Kuvar Jena. Simplilearn (2023): SolarWinds Attack And All The Details You Need To Know About It. URL: https://www.simplilearn.com/tutorials/cryptography-tutorial/all-about-solarwinds-attack (Last visited 08.01.2023)

[2] SEC.gov (2023): SEC Filings of SolarWinds Corp. URL: https://www.sec.gov/ (Last visited 08.01.2023)

[3] J. Lyons Hardcastle. Theregister (2022): SolarWinds reaches $26m settlement with shareholders, expects SEC action. URL: https://www.theregister.com/2022/11/04/solarwinds_settlement_sec_enforcement/ (Last visited 08.01.2023)

[4] J. Allen. Purplesec (2021): Accellion Data Breach: What Happened & Who Was Impacted? URL: https://purplesec.us/accellion-data-breach-explained/ (Last visited 08.01.2023)

[5] The United States District Court (2022): Plaintiffs’ notice of motion and motion for preliminary approval of class action settlement. URL: https://www.troutman.com/a/web/316857/In-RE-Accellion-Inc-Data-Breach-Litigation.pdf (Last visited 08.01.2023)

[6] E. Montalbano. Darkreading (2023): Software Makers May Face Greater Liability in Wake of MOVEit Lawsuit. URL:  https://www.darkreading.com/cyberattacks-data-breaches/software-vendors-may-face-greater-liability-in-wake-of-moveit-lawsuit (Last visited 08.01.2023)

B.Kondruss. Konbriefing (2024): Number of known victims of the MOVEit attack so far. URL: https://konbriefing.com/en-topics/cyber-attacks-moveit-victim-list.html (Last visited: 08.01.2024)

[7] SEC.gov (2023): SEC Filings of Progress Software Corp. URL: https://www.sec.gov/ (Last visited 08.01.2023)

Next
Next

Ransomware loss composition