A ransomware attack on Blue Yonder, a critical supply chain management software provider, has forced Starbucks to revert to manual processes for managing employee schedules and payroll systems, while UK supermarket chains Morrisons and Sainsbury’s have also been impacted by the Blue Yonder cyberattack.
The incident, which began on November 21, 2024, has not affected customer service or store operations at Starbucks, the coffee chain has confirmed.
Store managers are now using pen and paper to track employee hours, as the attack disrupted the company’s back-end scheduling and time management processes.
That attack has also impacted Morrisons and Sainsbury’s in the UK – with both acknowledging disruptions to their warehouse management systems, though they are reported to have implemented backup systems.
Blue Yonder has enlisted external cybersecurity firms to assist with recovery efforts and implemented defensive protocols. The company has not provided a specific timeline for service restoration.
In its most recent update, the organisation said: “The Blue Yonder team is working around the clock to respond to this incident and continues to make progress. There are no additional updates to share at this time with regard to our restoration timeline.”
The incident highlights the vulnerability of supply chain systems during the holiday season. Blue Yonder serves an extensive client base, including top manufacturers; around 60% of the top FMCG companies and 75% of the top 100 retailers globally.
Adam Pilton, senior cybersecurity consultant at Cybersmart, believes that the attack will have far-reaching consequences for the logistics sectors and ultimately, the consumer.
“Blue Yonder has become the victim of a ransomware attack, but for many people, this news will seem insignificant or irrelevant, however, when you understand the importance of Blue Yonder to supply chains across manufacturing, consumer goods and global retail, there is little question that this is relevant it’s everyone.
“Simply knowing that Blue Yonder is in the supply chain for both Morrisons and Sainsbury’s and that this ransomware attack indirectly impacts their warehouse management systems, you can quickly understand how this attack is significant. Whether we will see the impact of this on the shelves or in the prices that we pay for goods, only time we tell.”
Incident response
Given the ripple effect of SaaS provider disruptions, James McQuiggan, security awareness advocate at cyber awareness training platform KnowBe4, emphasised the need for firms to regularly assess third party companies and prioritise incident response (IR) within their organisations.
“Regular assessments of vendor security posture and business continuity capabilities are essential to ensure cyber resiliency,” he said.
“Organisations should address any third-party failures in their IR plans, including detailed procedures for alternative processes and clear communication paths to keep staff informed and operations running during outages,” he added.
While it’s hard to predict every third-party failure McQuiggan emphasised the importance of fostering “a culture of preparedness” through simulations and drills that mimic SaaS outages to build staff readiness and reduce operational downtime during actual events.
“The multi-complex nature of SaaS networks requires IR planning to include proactive coordination and ensure business continuity to reduce the risk of downtime or disruption to the business in the face of third-party disruptions,” he said.
