Pitney Bowes Inc. (PBI) experienced a second ransomware attack in seven months on May 4th. The ransomware gang Maze claimed to have breached and encrypted the company’s network. The incident was confirmed by PBI in a statement: “Recently, we detected a security incident related to a ransomware attack. We are investigating the scope of the attack, specifically the type of data that had been accessed, which appears to be limited.”
PBI is working with its security partner IBM Iris to complete forensic analysis on the attack.
PBI has been a persistent underperformer overall and on a peer basis in the Cyberhedge cyber governance ratings. In October 2019 following the first ransomware attack, we wrote in a research note:
“We expect the October incident (again, due to poor cyber governance) to lead to a series of future earnings disappointments. Despite a recent bounce off of 2019 lows, PBI shares are likely to be soggy as the market will have new questions over the company’s ability to execute on its ‘digital transformation’ strategy, critical for converting its declining ‘old-economy’ profits into future ‘technology-driven’ growth. This latest incident reconfirms that the company has been underinvesting in securing the technology stack and operations that PBI claims are critical to its future success.”
In the October 2019 note, we predicted a $25-$35mn hit to EBITDA as a result of the operational disruption, and in February the company reported $29mn in lost free cashflow.
The company has continued to underperform in our ratings while its share price slide has resulted in a market cap that is roughly 50 percent of what it was before the October breach.
In February note following the Q419 announcement, we recommended: “More security spending/costs. The company will need to increase investment in securing the technology stack and operations this year. If it fails to do so, low cyber governance ratings will persist, and the share price will likely continue to be soggy in 2020.”
This latest breach provides further evidence that the company continues to struggle with the execution of its digital transformation—the thing it is telling investors that is essential to the future growth of the business.
PBI was already on negative outlook by Moody’s—prior to COVID‑19, and S&P in the wake of the pandemic as it is exposed to the downturn in small and medium-sized business activity.
This latest breach comes at a time when PBI can least afford it. Like other companies across all industry sectors with poor cyber governance ratings, PBI was already proving less resilient amid the market volatility. The financial and operational impact of this second ransomware attack will put further strain on an already strained company.
Investors and the ratings agencies have made clear that the key to the company’s recovery and future growth is strong execution of its digital strategy, namely its Sending Technology. But this breach (and its poor 2 Star cyber governance rating) is evidence that its execution is still lacking while it struggles to adequately protect its own corporate network.