Schein close to recovering from 30-day cyberattack-caused pause

Professional Hacker

A week-plus after a notorious ransomware gang claimed to have stolen dozens of terabytes (TB) of data and threatened to dump the pilfered data, including shareholder information, Henry Schein announced on November 13 that it's close to recovering from the breach.

The dental and medical company’s distribution businesses are operational, and it will initiate the reactivation of its e-commerce platform early this week, Stanley Bergman, Henry Schein’s board chairman and CEO, said in a press release dated November 13.

“The company has contained the incident, restored most of the business-critical systems it proactively took offline in response to the situation and is making significant progress towards resuming normal-course operations,” according to the press release.

These comments were included in the company’s reporting of its third-quarter 2023 financial results. Henry Schein has been mum on the incident since October 15, when it announced it was forced to take some systems offline due to an attack on October 14. The business had been paralyzed ever since.

Though Schein reported total net sales of $3.2 billion for the third quarter of 2023 (end-September 30), which was a 3% increase compared to the approximately $3 billion it reported during the same quarter in 2022, the cyberattack is expected to hurt the company sales for 2023.

Now, the company’s full-year 2023 sales are expected to be approximately 1% to 3% lower than its total sales in 2022. This is an update from prior guidance of 1% to 3% sales growth, which is “primarily due to the recent cybersecurity incident,” according to the release.

“Despite current macroeconomic conditions and the cybersecurity incident, we have confidence in the stability of the dental and medical markets and remain committed to our strategic priorities and long-term financial model, which includes high single-digit to low double-digit operating income growth,” Bergman said.

Furthermore, Henry Schein expects to file an insurance claim in 2024 related to the ransomware attack. Although final resolution is subject to insurer approval, the company expects the claim to be covered under its cyber insurance policy.

“This policy has a $60 million after-tax claim limit after a $5 million retention, and any recovery from the claim will likely not be recognized until late 2024,” according to the release.

Earlier this month, it appeared as though Schein may be in for a long journey back following the cyber incident.

On November 2, the ransomware squad BlackCat, also known as ALPHV, claimed on a leak site on the dark web that it breached Henry Schein’s network and looted 35TB -- 1TB is equivalent to about 200,000 five-minute songs -- of sensitive data, which included payroll and shareholder information. Additionally, the gang alleged that its negotiations with the company failed so it re-encrypted the healthcare giant’s devices again just as Henry Schein was close to restoring its systems.

Not long after BlackCat claimed the attack, its post on a leak site was deleted. The deletion of the post was a possible indication that Henry Schein had paid the ransom or that negotiations between the groups had resumed.

BlackCat, a ransomware-as-a-service (RaaS) organization, only surfaced in 2021 but has already made a name for itself. In 2022, the U.S Federal Bureau of Investigation announced that BlackCat had attacked more than 60 organizations between November 2021 and March 2022.

Compared to other cybercrime gangs, BlackCat is said to be unique, mostly because it reportedly pays cybercriminal affiliates much more than other RaaS operations. Recently, a BlackCat affiliate admitted to breaching the systems at MGM Resorts. This attack exposed the data of more than 10 million resort guests.

Page 1 of 55
Next Page