Cyber Incident Victim: TNT Express
Date:
Jun 2017
Location:
Ukraine
Summary
A global courier company experienced severe operational disruptions following the NotPetya cyberattack, which encrypted critical systems and data, particularly affecting its Ukraine-based infrastructure. Manual processing became necessary for package handling, leading to extensive delivery backlogs, widespread service delays, and unrecoverable data. Customers faced prolonged shipment failures—including damaged goods, misplaced critical medical equipment, and near-miss wedding dress deliveries—while small businesses incurred financial losses from undelivered orders and forced refunds. Internal communications collapsed, requiring alternative messaging platforms, and contingency measures strained parent company resources. Recovery remained incomplete weeks later, with persistent invoicing issues and an inability to restore full services, significantly eroding customer trust and prompting client attrition.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The NotPetya cyber-attack, which struck globally on June 28, 2017, severely disrupted TNT Express operations due to the company's significant reliance on Ukrainian-based systems and communications infrastructure. Ukraine was the primary initial target of the attack, and TNT's operations there suffered extensive infiltration, resulting in data encryption that locked employees out of critical systems. This forced an immediate shift to manual processing methods for package handling, customer service, and invoicing across TNT's network. FedEx, TNT's parent company, activated contingency measures by absorbing large volumes of TNT shipments, but this overwhelmed FedEx's infrastructure, leading to severe bottlenecks at European depots. At peak disruption, some facilities ended each day with tens of thousands of unprocessed packages instead of the usual handful, exacerbated by a shortage of loading units. Internal communications collapsed, requiring staff to use WhatsApp Messenger temporarily after corporate email systems became inaccessible.
The operational breakdown caused widespread delivery failures, affecting individuals and businesses for over six weeks. Customers reported damaged goods like a vintage coffee table that arrived broken after multiple delayed shipments, medical equipment stranded at airports, and a bridal dress that nearly missed a wedding despite emergency overnight delivery efforts. Small businesses faced financial losses, such as Staffordshire Wrought Iron, which lost £900 due to PayPal refunds for untracked orders, while an online cycling retailer had to reroute non-EU shipments through competitors. Students missed academic deadlines due to delayed computer parts, and one customer waited a month for a shower screen originally promised in five days. TNT acknowledged on July 17 that all facilities were technically operational but confirmed ongoing "widespread service and invoicing delays" reliant on manual workarounds, with no estimated recovery timeline. By August 7, TNT still could not process non-EU deliveries and had not restored automated systems, leaving customers without resolution or detailed explanations for the prolonged crisis.