Blue Yonder ransomware attack disrupts grocery, retail, and hospitality firms

Ransomware concept image showing digitized padlock pictured on a laptop screen on red background
(Image credit: Getty Images)

Supply chain software company Blue Yonder has revealed it suffered a ransomware attack causing operational disruption for some of its customers, including a number of UK grocery and retail stores.

The firm’s solutions use AI and machine learning algorithms to help retail customers model demand and respond to market changes by optimizing their inventory accordingly.

Blue Yonder provides software for over 3,000 customers, which include large UK retailers such as Tesco, Morrisons, Sainsbury's, ASDA, Starbucks, and other major firms including DHL, Proctor & Gamble, and Nestle.

According to the company’s incident updates, it started experiencing disruptions to its managed services hosted environment on 21 November 2024, which it determined to be the result of a ransomware incident.

The firm added it was actively monitoring its Azure public cloud environment and reported it had not observed any suspicious activity.

On 24 November, Blue Yonder provided an update to the incident reaffirming its teams were “working around the clock” to respond to the incident, and were making progress.

ITPro has approached Blue Yonder for clarification on the extent of the disruption to customers and the status of its recovery, but did not receive a response.

Starbucks, Sainsbury’s, and Morrisons affected by Blue Yonder outage

One of Blue Yonder’s customers, Starbucks, has reported the attack disrupted the firm's ability to pay baristas and manage schedules, according to reporting from the Wall Street Journal.

On 25 November, Starbucks said the issue impacted 11,000 stores in North America, but had not affected its customer service.

A number of UK based grocery retailers are also said to have been impacted by the incident, with The Grocer reporting that both Morrisons and Sainsbury’s had suffered disruptions.

A Sainsbury's spokesperson told ITPro the company was working closely with Blue Yonder to resolve the issue.

“We’re in close contact with Blue Yonder and have contingency processes in place, to ensure smooth supply for our customers.”

A Morrisons spokesperson told ITPro the incident has affected its warehouse management systems, adding that it has been operating on its backup systems.

"Last week Blue Yonder suffered an outage which has impacted our warehouse management systems for fresh and produce," the spokesperson said. "Ambient and frozen are unaffected. We are currently operating on our back up systems and we're working very hard to deliver for our customers across the country."

Tesco responded to ITPro’s statement, confirming the company had not been affected by the incident.

Another major Blue Yonder customer, DHL, confirmed its operations have been unaffected by the attack.

"We are aware of isolated infrastructure outages in BlueYonder's systems that are reportedly impacting some of their customers. All DHL operations remain unaffected," a spokesperson for the firm said.

DHL suffered a separate third-party security incident earlier this month which affected delivery services.

Nick Tausek, lead security automation architect at Swimlane, said the incident once again underscores the serious consequences attacks on supply chain organizations can have.

“The attack on Blue Yonder highlights the profound ripple effects that cyberattacks on supply chain vendors can have on organizations. As a key software provider for grocery retailers across the U.S. and U.K., Blue Yonder plays a critical role in ensuring smooth operations,” he said.

“When such vendors become the target of an attack, the consequences can cascade across the supply chain, impacting a wide spread of businesses and customers.”

Tausek said that supply chain attacks are particularly difficult to resolve due to the complex web of integrations they have with the systems of thousands of customers.

“Supply chain attacks are particularly challenging due to vendors being so deeply integrated into organizations. Therefore, prioritizing the security of not only your own IT infrastructure but also the access and credentials of third-party vendors becomes essential," he added.

"Leveraging automated platforms to centralize incident detection and breach reporting can help organizations efficiently respond to threats.”

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.