Norwegian mountains

TOMRA: July 20th update on cyberattack

TOMRA discovered an extensive cyberattack against the company on July 16th affecting some of the company’s data systems. To contain the attack, selected services were disconnected. A team of internal and external resources is working around the clock to establish alternative solutions and to reestablish normal operations. Affected systems will remain offline until it is safe to operate them.

Development since last update:

  • We have successfully started the process of establishing digital services for our Reverse Vending Machines (RVMs) on a new, independent, cloud-based platform. We started contacting some customers today to get the first batch of RVMs in Europe back online.
  • The forensics team is starting to establish a picture of the cause and nature of the attack, but we continue to investigate to identify other potential points of entry and make sure we uncover the full nature of the attack. Further information is provided below.
  • No new hostile activities have been detected.

Updated information from the technical team:

What we know about the attack:

  • Early Sunday morning TOMRA Security Operations found suspicious activity in our office network, linked to our Montreal location.
  • The threat actor gained access to some technical infrastructure systems, allowing them to traverse and access other sites. When this was discovered, TOMRA Security Operations started to proactively shut down services and disconnect sites to limit the attack.
  • Initial investigation discovered that this was an ongoing cyber-attack, gaining access through some TOMRA user accounts that were compromised.
  • TOMRA Security Operations has identified a number of methods and tools being used in the attack.
  • In the current situation, we have found no trace of evidence that TOMRA clients, customers, partners or their systems are at risk from the attack.
  • We see no evidence of encryption of data and have not received any ransom claims.

How we work:

  • TOMRA has engaged a global cyber response team from Deloitte, assisting in the ongoing investigation and response.
  • The cyber response teams are working to migrate some services to new, cloud-based solutions and restore other systems back into a trusted state.
  • We will bring back services one by one as they are confirmed to be safe and secure.

Status of external services:

  • TOMRA Group: Internal IT services and some back-office applications remain offline and affect our supply chain management. Major office locations are offline, but cloud based Office365 applications run as normal allowing employees to access them.
  • TOMRA Collection: The process of re-establishing digital services for the reverse vending machines (RVMs) on a new, independent platform has begun. The trusted data center has been receiving data from a growing number of RVMs in Europe. Most RVMs in Europe and Asia remain operational, however, the range of RVMs in operation spans different generations and a limited number of older models are not currently operating. RVMs in Australia and North America remain online and fully connected. The Material Recovery services in North America are also impacted by digital services being offline.
  • TOMRA Recycling: Our customers sorters remain unaffected and fully operational. All remote service activities are disconnected and replaced with manual procedures.
  • TOMRA Food: Our customers optical sorting, grading, and post-harvest solutions remain unaffected and fully operational. All remote service activities are disconnected and replaced with manual procedures.

Our primary aim is to continue to deliver our services to customers, minimizing the impact this attack has on them. Most of TOMRA’s digital services are designed to operate offline for a certain amount of time but may have reduced functionality in the interim. A team is working to establish alternative solutions for all digital systems to support keeping customer solutions operational over time.

All employees involved continue to work tirelessly to resolve the situation and ensure deliveries to our customers. The team spirit and commitment from the whole TOMRA team is remarkable. We strive to ensure that all services are upheld with manual solutions, the main challenge is to ensure service and access to spare parts.

We remain in dialogue with relevant authorities and have not received any contact from those who are behind the attack.

TOMRA will remain transparent with all stakeholders, and we will continue to provide updates on when we have confirmed information to share.