Supply Chain Ransomware Attack Hits Starbucks, UK Grocers
Starbucks was among other corporations affected by a ransomware attack last week on managed services provider Blue Yonder, with the coffee chain giant saying it had to switch to manual operations for such tasks as employee scheduling and time tracking.
The attack hasn’t affected customer service, but it has put another spotlight on the ongoing threats to supply chains.
Blue Yonder, a subsidiary of Panasonic, claims more than 3,000 customers, with Starbucks being the highest-profile client to publicly talk about being impacted by the attack. Morrisons and Sainsbury’s, two grocery chains in the UK and Blue Yonder customers, also were affected.
According to industry news site The Grocer, Morrisons uses Blue Yonder’s software for demand forecasting and replenishment operations for fresh produce and chilled foods. Since the ransomware attack, the company has been using its manual backup system.
“Blue Yonder, the supplier of our warehouse management systems, has suffered a significant outage,” a Morrisons spokesperson told The Grocer. “We have reverted to a back-up process but the outage has caused the smooth flow of goods to our stores to be impacted.”
Sainsbury’s said it also is impacted by the attack, though added that it has procedures it’s using to mitigate the effects.
Starbucks Goes Manual
For its part, a Starbucks spokesperson told CNN that the company is helping its stores with the manual workaround and added that all employees will be paid for the hours worked.
It’s unclear how many other Blue Yonder customers are feeling the affects of the attack, though a spokesperson with giant automaker Ford told CNN that the company “is aware and is actively investigating if a cyber incident at a third-party supplier has any impact on our operations or systems.”
Blue Yonder executives in updates on its website said the ransomware attack by an unknown group disrupted its managed services hosted environment and that the company is working with cybersecurity firms – including CrowdStrike, according to CNN sources – in the investigation and recovery processes.
“We have implemented several defensive and forensic protocols,” the company wrote. “With respect to the Blue Yonder Azure public cloud environment, we are actively monitoring and currently do not see any suspicious activity. The experts along with the Blue Yonder team are working on multiple recovery strategies and the investigation is ongoing.”
Subsequent updates said the company is making “steady progress” but that the company can’t say when the service will be recovered.
Supply Chain at Risk
Attacks on software supply chains have risen sharply in recent years, with the attack on SolarWinds in 2020 putting the threat front and center. A threat group called Nobelium that was directed by the Russian Foreign Intelligence Service was able to inject malicious code into the software maker’s Orion remote monitoring and management software, infecting customers that downloaded a software update.
Since then, the number of supply chain attacks has grown. According to market research firm Statista, there were 694 supply chain attacks in 2020. Two years later, that number was 1,734, and last year it rose to 2,769.
In a report, cybersecurity firm ReversingLabs said that the number of threats to the supply chain rose 1,300% over three years and that there were more than a dozen high-profile supply chain attacks in 2023, including the far-reaching attacks on Progress Software’s MOVEit file transfer software by the Cl0p threat group that exposed the health care data of more than 62 million people around the world.
Threat to Software Makers, Users
“The lesson of these incidents is clear: Software supply chains represent the largest unaddressed attack surface lurking within businesses today, regardless of whether you are building or deploying software,” ReversingLabs co-founder and CEO Mario Vuksan wrote in the report. “As threats to the software supply chain grow, they expose holes in the defenses used by software producers and consumers that are focused on open-source vulnerabilities.”
Typical application security testing and code-scanning tools aren’t able to detect compromises in development processes that result in malicious modifications of sanctioned code, Vuksan wrote. At the same time, those companies buying and deploying software are used to assuming the integrity of signed updates from reputable vendors.
“Today, both software publishers are under pressure to answer a fundamental question: ‘Are there any material risks inside by software,’” he wrote.