When Merck first confirmed a cyberattack hit the company back in June 2017, it was impossible to know the extent of the damage or what would come from the attack. But those details are a little clearer now, thanks to a Bloomberg report about the weeks that followed the hack and a dispute between the drugmakers and insurers over liability.
After the attack, there was “nothing being done” at the drugmaker for two weeks, a temporary employee at the company told the news service. Employees’ screens were dark, and some watched videos on their cellphones. The NotPetya attack affected 30,000 computers at the drugmaker, according to a source cited in the report.
Merck suffered hundreds of millions in damages. In its 2018 annual report (PDF), the company said the attack “led to a disruption of its worldwide operations, including manufacturing, research and sales operations.” A vaccine plant went down, and Merck had to borrow Gardasil 9 doses from the U.S.' strategic stockpile to fulfill orders. In all, the company said it lost potential sales of $410 million in 2017 and 2018, and it had to pay other hack-related expenses of $285 million on top of that. Merck has recovered insurance payments of $45 million, according to the document.
Still, the company said, “there are disputes with certain of the insurers about the availability of some of the insurance coverage for claims related to this incident." And Bloomberg’s report has details of those disputes. The NotPetya attack originated in Russia and was aimed at Ukraine, Bloomberg reports. Merck seemed to be “collateral damage” as the virus infected the company through a server in Ukraine and quickly spread.
Merck's insurers said the damages were excluded from policies as they arose from an “act of war,” according to the Bloomberg report. In response, Merck has sued for $1.3 billion in damages, and those arguments are now playing out. Lawyers for Merck and insurers declined to comment to Bloomberg.
Meanwhile, the company has worked to harden its cyber defenses. In its 2018 annual report, Merck said it has “implemented a variety of measures to further enhance and modernize its systems to guard against similar attacks in the future." With its efforts, Merck aims to “not only to protect against future cyber-attacks, but also to improve the speed” of recoveries.