Global logistics giant Pitney Bowes Inc. suffered a malware attack this week that disrupted services to an undisclosed number of its clients.
Pitney Bowes does not believe any customer or client data was compromised, and the malware focused on service disruption, Raymond Umerley, chief data protection officer for Pitney Bowes, said in a webinar addressing the attack.
The attack encrypted information on some of its systems, including its mailing systems products, which allows clients to print shipping labels, track orders and print and refill postage, among other functions. As of publish date, these services were still not working:
- Your Account and the Pitney Bowes Supplies web store
- Hosted instances of SendSuite Live, SendSuite Express and SendSuite Tracking
- Accounting products including as Inview, Business Manager and Account List Management
Pitney Bowes has more than 1.5 million clients in roughly 100 countries, according to its website. Pitney Bowes provides services to 110 retailers in the Internet Retailer 2019 Top 1000, including top retailers Amazon.com Inc. (No. 1), Apple Inc. (No. 2), Dell Technologies Inc. (No. 4), Macy’s Inc. (No. 5), Target Corp. (No. 16) and Nordstrom Inc. (No. 18).
Pitney Bowes learned of the attack on Oct. 12 and reached out to digital security companies IBM Corp. and McAfee LLC to help contain and shut down the attack. The malware targeted Microsoft Windows, so any non-Windows operating systems were not impacted, Umerley said. Pitney Bowes is also working with the U.S. Postal Inspection Service and the FBI. Pitney Bowes has not yet identified the root cause and how it was infected with the malware.
Pitney Bowes says its clients will not get infected with the same ransomware if they have shared files or emails with Pitney Bowes. “We do not believe clients are at risk,” Umerley says. “We have seen no evidence that customer data has been improperly accessed or left our network.”
Apparel retailer Urban Outfitters Inc. (No. 45) said it was not materially impacted by the Pitney Bowes ransomware attack. “URBN maintains strong data privacy and security controls and is evaluating this attack for any information that can be used to further protect our systems,” an Urban Outfitters spokesperosn says. Several other retailers did not respond to a request for comment.
Pitney Bowes has updated its software and added additional software to enhance its security. In addition, it is actively monitoring its system and plans to further improve its protocols so that a similar attack won’t happen again, Umerley says.
“No matter how effective defenses are or the amount spent on those defenses, hackers are sophisticated and always growing more so, so there can never be 100% certainty,” Umerley said.
Pitney Bowes is the leading vendor in the Internal Ecommerce Services category in Internet Retailer’s soon-to-launch Leading Vendors to the Top 1000 report, as it provides services to 57 Top 1000 retailer clients, with web sales totaling $46.11 billion. It also has 63 Top 1000 shipping carrier clients, with those retailers generating $268.07 billion in 2018 web sales, and has five Top 1000 fulfillment services clients.
As a result of this malware attack, financial services firm Moody’s Corp. said the incident was a “credit negative” but had no immediate impact to Pitney Bowes’ rating. This means that the attack affects the credit profile, but isn’t enough to move its rating, a Moody’s spokesman says.
“In our view, cyber risk is event risk and we see a rising tide,” Moody’s writes in recent report on credit implications of cyber risk.
Moody’s attributes increased cyber risk to the growing adoption and complexity of new technologies, coupled with a lack of security and technology professionals who can manage these services and defend against criminals, as well as a growing sophistication among criminals.
“These groups now have greater capabilities as a result of the increasing sophistication and availability of tools and techniques following high-profile leaks of nation-state cyber weapons,” according to the report. “As a result, global cyber events can now disrupt unintended targets, further underscoring the need for firms to secure technology and improve cyber resilience.”
Moody’s rates the retail sector as a medium-high cyber risk for credit risk exposure, according to a 2019 report. It based this rating on two factors, the vulnerability to a cyber event or attack, and the impact in terms of potential disruption of critical business processes, data disclosure and reputational efforts.