The JBS ransomware hack was only the latest in a surge of cyberattacks on the U.S. food system
Jeff Kowalsky/AFP via Getty Images
Jeff Kowalsky/AFP via Getty Images
The meat giant joins Wendy’s, MillerCoors, and Mondelez among cyberattack victims in recent years. Cybersecurity experts say that this weekend’s hack is unlikely to be the last.
Up to a fifth of the nation’s meat processing capacity went off the grid on Tuesday after JBS, the biggest processor in the U.S., was hit by a ransomware attack over Memorial Day weekend. The breach affected servers at facilities in North America and Australia, and forced the company to pause operations at nearly all plants in the U.S, raising alarm about potential meat shortages for consumers and livestock backlogs on feedlots.
Those fears may have been a tad premature: By Wednesday, JBS officials announced that the company’s systems were “coming back online,” as employees began returning to work; the meat supply chain will barely be disrupted. Late Wednesday evening, the Federal Bureau of Investigation (FBI) issued a statement blaming the Russian-speaking group REvil for the attack. The incident followed shortly after another closely-watched ransomware attack in mid-May when the company Colonial Pipeline was forced offline for four days, prompting fuel shortage concerns on the East Coast.
While the JBS hack caught headlines, a closer review of recent cyberattacks on the U.S. food system suggests that the incident is no anomaly. In recent years, hackers have managed to breach the operations of numerous prominent food and beverage companies—including a major beer manufacturer, a distillery, a fast food chain, and a snacking giant—in some instances severely disrupting production and causing millions of dollars in damages.
“As each sector that’s getting victimized progressively ups its own security game and becomes harder to compromise, then the criminals start looking for easier targets.”
There’s some indication the agricultural sector is especially vulnerable to disruptions like this one. According to cybersecurity experts, many food manufacturing and processing companies may not have robust protections in place to safeguard their computer networks. Yet as NPR reported Thursday morning, it’s not like ag companies had no warning: A REvil representative said the hacker group would target the agricultural industry in an interview published last fall.
“When cybercrime first started, the first victims were companies in the financial sector and then companies in retail,” said Stephen Streng, a food defense analyst at the University of Minnesota’s Food Protection and Defense Institute. “As each sector that’s getting victimized progressively ups its own security game and becomes harder to compromise, then the criminals start looking for easier targets.”
After the attack, JBS plants were unable to complete even basic tasks, like weighing poultry, sharpening knives, and clocking in employees, according to interviews with union representatives. That’s not surprising to Streng, who pointed out that even one hiccup along an assembly line can grind the entire production process to a halt.
“At this stage of the game, it’s impossible to ask any company to be bulletproof against cyberattacks—that’s a standard nobody can meet right now. Really, a more accurate measure of somebody’s cybersecurity capacity is how well they can contain an attack and limit the damage that happens.”
“Your plant might be fully functional, you might be able to make whatever it is that you’re supposed to make, but because a ransomware attack has taken out your entire ordering and billing system, you don’t know where any of the stuff that you’re making is supposed to go.”
A review of SEC filings of top food companies found that virtually all of them listed cyberattacks and ransomware incidents as potential risks that could not only jeopardize their operations but also open them up to class action lawsuits.
“At this stage of the game, it’s impossible to ask any company to be bulletproof against cyberattacks—that’s a standard nobody can meet right now,” Streng said. “Really, a more accurate measure of somebody’s cybersecurity capacity is how well they can contain an attack and limit the damage that happens.”
Ironically, then, JBS’s swift recovery could suggest that some big food processors are actually prepared to withstand significant breaches and ransomware attacks. “I feel a little bit better that a cyberattack couldn’t grind the whole food supply chain to a halt,” Streng said.
Then he added with a laugh, “That could change tomorrow.”
Here are some of the major food industry cyberattacks you might’ve missed:
Back in 2017, multinational conglomerate Mondelez was the subject of a whopper of a cyberattack, part of a global ransomware breach that impacted hundreds of companies. The attack didn’t have a specific target; rather, it infected many users at once when they downloaded a routine update. Mondelez computer systems froze, and warehouses filled with a backlog of Oreos and Ritz crackers. Cadbury eggs and Philadelphia cream cheese languished on shelves. Employee laptops froze.
The total financial hit, according to court documents later reviewed by The New York Times, was over $100 million. Worse, the company’s insurer refused to pay, citing a “war exclusion” clause in the contract.
Fast forward to March of 2021, and brewing giant MolsonCoors Beverage Company revealed its operations had been affected by a “cyber security incident,” which ground beer production and shipment processes to a brief halt. In its most recent quarterly SEC filing, the company disclosed that the attack-related costs totaled at least $2 million, and that it expects to report further losses in the coming quarter.
A malware attack on point-of-sale systems at more than 1,000 Wendy’s locations exposed the credit card information of the fast food chain’s customers. The hackers accessed the data starting in late fall of 2015, but Wendy’s did not report the breach until February of 2016. Three years later, the company announced a $50 million settlement with the banks of affected customers. It was an expensive attack: the settlement amounted to about $148 per compromised record, Restaurant Dive reported. Other restaurant chains including Huddle House, Caribou Coffee, Dunkin’, and Sonic have been the target of similar attacks.
In November 2020, Campari Group, a liquor conglomerate that owns bands including Aperol, Grand Marnier, SKYY Vodka, and (naturally) Campari, was hit with a ransomware hack by a group demanding $15 million. The hackers used compromised Facebook accounts to publish Facebook ads titled “Security breach of the Campari Group network” calling the company’s press release about the breach a “big fat lie.” Experts suspected the Facebook ads were meant to pressure Campari executives into cooperating. The ads made more than 7,000 impressions before they were taken down for violating Facebook guidelines that prohibit the promotion of criminal activities.
Arizona Beverages, the company that makes Arizona Iced Tea, was the target of a 2019 ransomware attack that wiped hundreds of computers and shut down sales for days, TechCrunch reported. The FBI had warned the company of the existence of the malware infection weeks before the attack, and it was believed to have been caused by an email attachment. Arizona Beverages is not a publicly traded company and has not disclosed the full cost of the breach.
MGP Ingredients might not be a household name—but it’s a major, publicly traded distillery that supplies bourbon, gin, rum, and other spirits to liquor manufacturers across the country and globally. (It’s the parent company of infamous vodka brand Everclear.) In May 2020, the company suffered from a ransomware attack at one of its headquarters in Atchison, Kansas, cutting into its profits by $1.7 million that quarter. According to a recent SEC filing, the company said “there is no evidence that any sensitive or confidential data was improperly accessed or extracted from the network,” and that it was able to recover a little over a third of its losses through insurance.