Cyber Incident Victim: Pengerang Independent Terminals

On or around March 31, 2023, Pengerang Independent Terminals Sdn Bhd (PTSB), a Malaysian oil storage terminal partially owned by Royal Vopak, experienced a significant IT security incident. The incident was confirmed by a Vopak spokesperson, who stated that unauthorized individuals had gained access to company data. The incident was first reported publicly on April 1, 2023, by multiple parties that monitor hacker groups. The attack was attributed with a high degree of certainty to the Russian ransomware group known as BlackCat. The group employed ransomware and exfiltrated critical business information from the company's systems.

The attackers claimed to have obtained financial and other crucial documents during the breach. They issued an ultimatum to Vopak, giving the company 72 hours to respond to their demands. The threat associated with this deadline was the public release of the stolen data on the dark web if the demands were not met. The specific nature of the ransom demands, including the exact amount of money requested, was not publicly disclosed by the company. However, based on previous attacks attributed to the BlackCat group earlier in the year against companies in the United States, India, and Australia, the typical ransom demands were reported to have ranged between $400,000 and $3 million, payable in cryptocurrencies such as Bitcoin or Monero.

The scope of the incident was confirmed by Vopak to be limited to the single Pengerang Independent Terminals location in Malaysia. The company emphasized that the attack did not impact its global operations or its daily activities. A Vopak representative, Richelle, stated that the company was taking the data breach extremely seriously and had launched a formal investigation into the circumstances surrounding the incident. The investigation aimed to determine the full extent of the unauthorized access and the specific data that was compromised. The stolen data was reported to include information pertaining to the tank infrastructure and systems at the affected terminal.

Vopak's operational resilience was a key point communicated by the company. Despite the cybersecurity incident, the terminal and the wider corporate entity remained fully operational. The company's ability to maintain its business functions without interruption was repeatedly stressed. This incident occurred just after Vopak had published its first-quarter financial results on the preceding Wednesday, which did not contain an update on the data breach as it had not yet been publicly confirmed. Those financial results were positive, showing a 17% increase in earnings before interest, taxes, depreciation, and amortization (EBITDA) to 249 million euros. This strong performance led the company to raise its financial expectations for the full 2023 fiscal year, anticipating an EBITDA exceeding 950 million euros, up from a previous forecast of a maximum of 950 million euros.

The company's core business involves the storage of fossil fuels such as oil and liquefied natural gas (LNG). The incident at the Malaysian terminal did not affect the company's other global operations, including its terminals in the port of Rotterdam and in Eemshaven, Groningen, in the Netherlands. Vopak, a publicly traded company with a history dating back to 1616, operates in dozens of countries worldwide. In its communications, the company also highlighted its strategic focus on expanding its storage capacity for new energy sources, such as hydrogen. In partnership with the Dutch gas network operator Gasunie, Vopak operates a large floating LNG terminal in Eemshaven and has plans to adapt that facility for the import of green hydrogen. These strategic initiatives were unrelated to the cybersecurity incident but were part of the company's broader corporate messaging during the same timeframe. The primary consequence of the incident was the confirmed compromise of sensitive company data and the associated reputational and potential financial risk stemming from the threat of its public release. The company's public response included acknowledging the incident, apologizing for any inconvenience caused, and committing to a thorough investigation.