Ransomware Attack on Blue Yonder Hits Starbucks, Supermarkets

The incident is typical of the heightened threats organizations face during the holidays, when most companies reduce their security operations staff by around 50%.

4 Min Read
Starbucks logo on a storefront
Source: Ned Snowman via Shutterstock

A disruptive ransomware attack on Blue Yonder, a supply chain management software provider for major retailers, consumer product companies, and manufacturers, highlights the heightened risk organizations face during the busy holiday season.

A Nov. 21 attack on Blue Yonder affected infrastructure that the company uses to host a variety of managed services for customers, which include 46 of the top 100 manufacturers, 64 of the top 100 consumer product goods makers, and 76 of the top 100 retailers in the world.

Major UK Supermarket Chains Hit in Cyberattack

Among those reportedly most affected by the attacks are Morrisons and Sainsbury's, two of the UK's largest supermarket chains. British media outlet The Grocer quoted a Morrisons spokesperson as describing the Blue Yonder attack as affecting the smooth delivery of goods to stores in the UK. Availability of some product lines at wholesale and convenience locations could drop to as low as 60% of normal availability, the media outlet reported.

In the US, Starbucks reported the Blue Yonder attack affecting a back-end process for employing scheduling and time-tracking. Jaci Anderson, director of corporate communications at Starbucks, tells Dark Reading that the company is working on addressing issues caused by the Blue Yonder outage so employees are paid with "limited disruption or discrepancy."

Related:Too Much 'Trust,' Not Enough 'Verify'

Anderson described the outage as disrupting a back-end Starbucks process that enables how Starbucks employees view and manage their schedules and track the hours they worked. In the meantime, Starbucks has provided guidance on how to work around the outage manually, Anderson says.

"Keeping our partners whole despite the outage continues to be our priority and we’re ensuring they will receive pay for all hours worked," she notes. "To be clear, the outage is not impacting how we serve our customers directly and we continue to welcome and serve people in our stores."

Besides Starbucks, there have been no confirmed reports so far of widespread disruptions resulting from the attack. Blue Yonder's US customers include Kimberly-Clark, Anheuser-Busch, Campbell's, Best Buy, Wegmans, and Walgreens.

In its initial disclosure on Nov. 21, Blue Yonder said it experienced disruptions to its managed services hosted environment, which it determined was the result of a ransomware attack. The company said it was actively monitoring its Blue Yonder Azure public cloud environment but had not spotted any suspicious activity.

"Since learning of the incident, the Blue Yonder team has been working diligently together with external cybersecurity firms to make progress in their recovery process," a Blue Yonder spokesperson said in an emailed statement to Dark Reading. "We have implemented several defensive and forensic protocols" to mitigate the issue.

Related:Middle East Cyberwar Rages On, With No End in Sight

"We have notified relevant customers and will continue to communicate as appropriate. Additional updated information will be provided on our website as our investigation proceeds," the spokesperson added. The statement did not provide any kind of timeline by which it hopes to completely restore its systems.

Ripple Effect From Blue Yonder Hack

The fallout from the Blue Yonder attack is similar to that from other major supply chain attacks in recent times, including the ones on Progress Software's MOVEit file transfer software, Kaseya, WordPress, and Polyfill.io. In each instance, the threat actors behind the attacks managed to impact a broad swath of organizations by targeting a single trusted player in the software supply chain.

The Blue Yonder incident is also typical of the attacks that tend to happen around holidays and during weekends, when IT departments tend to be less than fully staffed. Research that Semperis conducted showed that 86% of ransomware victims over the past year were targeted either on a holiday or on a weekend. More than six in 10 respondents in the survey said they experienced a ransomware attack during a corporate event.

Related:LockBit Ransomware Developer Arrested in Israel

Semperis found that while most of the organizations in its survey maintained a round-the-clock security operations capability, some 85% scaled back security operations center (SOC) staffing levels by up to 50% outside normal business hours.

Opening the Door to Cyberattacks

"Despite widespread cybersecurity efforts, many organizations are unintentionally opening a door to ransomware by reducing their defenses during weekends and holidays," says Jeff Wichman, director of incident response at Semperis. "Attackers clearly expect this behavior and target these periods — as well as other material corporate events that might signal distracted or reduced defenses — to strike.

Wichman says the Semperis study looked at nearly 1,000 organizations in the US, the UK, France, and Germany. In each country, the vast majority of businesses reduce staffing by up to 50% on holidays and weekends. In Germany, 75% of organizations downsized staff by as much as 50% on holidays and weekends. "In security, you can’t wax or wane, and your defenses need to be constant" and around the clock, he says.

Wichman recommends that organizations maintain at least 75% of their regular staffing levels on holidays and weekend to maintain operational resiliency.

Nick Tausek, lead security automation architect at Swimlane, says incidents like the attack on Blue Yonder highlight why cyber hygiene is important at all times of the year, but especially so during the holiday season: "User training, frequent, comprehensive backups, and a tested disaster recovery plan are the three biggest protections against cybercriminals and ransomware operators during the busy holiday season."

About the Author

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights