Cyber Incident Victim: Demant A/S
Date:
Sep 2019
Location:
Denmark
Summary
A Danish hearing aid manufacturer suffered a ransomware attack that crippled its global IT infrastructure, severely disrupting production, distribution, and retail operations across multiple continents. The incident caused extensive delays in product supply, order processing, and customer service at clinics, particularly impacting key markets like the US, Australia, Canada, and the UK. Financial losses totaled between $80 million and $95 million, primarily from lost sales and unfulfilled orders, with only $7.3 million attributed to recovery efforts. While most operations resumed after weeks of recovery, residual effects on sales persisted for months. The company mitigated some losses through a $14.6 million cyber insurance payout.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On September 3, 2019, Danish hearing aid manufacturer Demant publicly disclosed a critical cybersecurity incident that forced the immediate shutdown of its entire internal IT infrastructure globally. The company characterized the event only as "cyber-crime" in official communications, though Danish media reports consistently identified it as a ransomware attack based on observed operational patterns. The attack caused extensive disruption across Demant's worldwide operations, affecting core systems including enterprise resource planning (ERP) platforms, manufacturing facilities in Poland, Mexico, France, and Denmark, distribution networks, and all Asia-Pacific operations. Service delivery systems at hearing aid retail clinics were particularly compromised, impairing customer service capabilities. Unlike typical cyber incidents resolved within days, Demant's recovery extended through September and required ongoing efforts at the time of their September 30 financial disclosure, with full restoration projected to take approximately two additional weeks. The company maintained operational continuity through manual workarounds during infrastructure restoration but experienced severe business process interruptions.
The incident resulted in projected financial losses between $80 million and $95 million, partially offset by a $14.6 million cyber insurance payout. Primary impacts stemmed from operational paralysis rather than recovery expenses, with infrastructure rebuilding costs totaling only $7.3 million. Lost sales accounted for approximately half the losses in Demant's wholesale hearing aid division, concentrated in critical growth markets including the United States. Retail operations sustained nearly half the revenue impact, with clinics in Australia, the US, Canada, and the UK unable to schedule appointments or provide regular services throughout September. Although most clinics resumed normal operations by late September, appointment backlogs created anticipated sales deficits extending one to two months beyond initial recovery. Smaller business units including Hearing Implants, Diagnostics, and Personal Communication experienced comparatively limited financial effects due to their reduced scale. Production delays and order fulfillment failures across manufacturing sites compounded revenue losses, particularly during peak seasonal business periods. Demant explicitly linked the incident's severity to prolonged IT system unavailability rather than data theft or secondary operational damage, marking one of the most costly ransomware-related business disruptions recorded outside the NotPetya attacks.