Gone but not forgotten. A year after the NotPetya cyberattack took down the manufacturing and other operations of Merck & Co., the industry continues to feel the impact.
Merck was among companies worldwide that were hit by the June 27, 2017, attack. NotPetya worked by infiltrating Microsoft systems that had not installed a needed security patch. It encrypted a user's data and sent a ransom message in order for users to take back control—although the ransom was actually a spoof, there was no real way for users to retrieve their data. It also had a worm-like capability that allowed it to spread across affected networks
A spokeswoman for Merck, which has never had much to say about the attack, declined to comment Thursday as well, only pointing to SEC filings for information about the impacts of the attack.
Merck was the only pharma company to publicly acknowledge it was hit. And it was hit hard. The attack has so far cost the Kenilworth, New Jersey, company an estimated $915 million, according to its annual report.
It crippled Merck’s in-house API manufacturing and affected its formulation and packaging systems, as well as R&D and other operations. The company said the attack had a $260 million impact on sales, $330 million impact on marketing and administrative expenses and production costs, and a $200 million impact on 2018 sales through residual backlog. Most operations were restored within six months.
On top of that had production of one of its best-selling products affected even as demand was growing. That forced Merck to borrow $240 million worth of Gardasil doses from the CDC's stockpile due to the "temporary production shutdown resulting from the cyberattack, as well as overall higher demand than originally planned."
Merck has said that it cost $125 million through a reduction in sales because of its inability to meet demand for Gardasil 9.
Investigations by the U.S. and the U.K. governments found that the Russian military, targeting Ukraine, was behind the attack, which then spread to other systems. Ukraine has recently reported that it uncovered indications that hackers are preparing another attack, perhaps targeting other threat vectors into computer systems.
But Merck said it is prepared this time. In its filings, it said it has taken measures to guard against similar attacks in the future, “but also to improve the speed of the company’s recovery from such attacks and enable continued business operations to the greatest extent possible during any recovery period.”