Anatomy of a Breach

Anatomy of a Breach: Blue Yonder — Supply Chain Ransomware Hits UK Supermarkets and Global Retailers

> series: anatomy_of_a_breach —— part: 191 —— target: blue_yonder —— affected: morrisons_sainsburys_starbucks —— impact: warehouse_management_disrupted<span class="cursor-blink">_</span>_

Hedgehog Security 30 November 2024 13 min read
ransomware blue-yonder morrisons starbucks supply-chain uk-breach retail logistics series
Breach #191

A supply chain vendor. Morrisons. Sainsbury's. Starbucks. Warehouse management disrupted.

In November 2024, Blue Yonder — a supply chain management software provider owned by Panasonic, serving major retailers and logistics companies worldwide — was hit by ransomware that disrupted its managed services environment. The attack affected warehouse management, inventory control, and logistics scheduling systems used by Blue Yonder's customers globally.

In the UK, Morrisons reported disruption to its warehouse management systems, affecting the flow of goods from warehouses to stores and impacting fresh produce and chilled product availability. Sainsbury's activated contingency plans. In the US, Starbucks was forced to revert to manual processes for employee scheduling and time tracking. The Blue Yonder attack continued the pattern of supply chain vendor compromises affecting UK retailers: Blackbaud (2020, UK charities), Kaseya (2021, Coop Sweden), MOVEit/Zellis (2023, BBC/BA/Boots). Each time, one vendor's compromise cascaded to disrupt dozens of organisations.

UK Retail Supply Chain
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Morrisons. Sainsbury's. Fresh produce disrupted. Through a vendor most shoppers have never heard of.

Warehouse Management Disrupted
Blue Yonder's systems manage the movement of goods from warehouses to store shelves. When those systems go offline, the physical supply chain is disrupted — even though no goods were stolen or destroyed. For UK <a href="/blog/sector-under-the-microscope-retail">retailers</a>, digital supply chain resilience is now as important as physical supply chain security. <a href="/penetration-testing/infrastructure">Infrastructure testing</a> assesses supply chain system resilience.
Fresh Produce Affected
Morrisons reported that fresh produce and chilled products were particularly affected — these items have short shelf lives and depend on just-in-time logistics that cannot tolerate delays. Ransomware against logistics systems has direct consequences for food availability on shop shelves.
Supply Chain Vendor Pattern — Year Five
Blackbaud (2020), Kaseya (2021), MOVEit/Zellis (2023), Blue Yonder (2024) — supply chain vendor ransomware affecting UK organisations has appeared in four of the last five years. The pattern is clear: vendor concentration in supply chain management creates systemic risk. <a href="/cyber-essentials">Cyber Essentials</a> addresses supply chain security. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors vendor connections.
Contingency Planning Worked
Sainsbury's activated contingency plans and maintained operations — demonstrating that preparation and tested backup procedures limit the impact of vendor failures. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> provides the incident response planning that enables organisations to maintain operations during supply chain disruptions.
Lessons

Your supply chain vendor is your vulnerability. Plan for their failure.

The Blue Yonder attack was the fourth major supply chain vendor ransomware event affecting UK organisations in five years. The lesson is unavoidable: supply chain vendor security and supply chain contingency planning are essential components of every UK organisation's security programme. Cyber Essentials addresses vendor security. Infrastructure testing assesses supply chain system resilience and contingency procedures. SOC in a Box for Retail monitors supply chain systems. And UK Cyber Defence provides incident response and business continuity support when supply chain vendors are compromised.

Supply Chain Resilience

Blue Yonder: Morrisons, Sainsbury's, Starbucks disrupted. Is your supply chain resilient to vendor failure?

<a href="/penetration-testing/infrastructure">Infrastructure testing</a> validates supply chain resilience. <a href="/cyber-essentials">Cyber Essentials</a> addresses vendor security. <a href="https://www.socinabox.co.uk/sectors/retailers">SOC in a Box for Retail</a> monitors supply chain systems.

Commission a Supply Chain Assessment Next: 2024 Year in Review
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 April 2025

Anatomy of a Breach: Marks & Spencer — DragonForce Ransomware Costs £1.9 Billion and Hits UK GDP

Breach #196. In April 2025, Marks & Spencer — one of the UK's most iconic retailers with over 33,000 employees and an estimated 200,000 in its supply chain — was hit by a ransomware attack attributed to DragonForce, leveraging social engineering techniques associated with the Scattered Spider collective. The attack disrupted online sales, in-store contactless payments, click-and-collect services, and supply chain operations for weeks. The Bank of England confirmed the attack had impacted UK GDP growth. The estimated cost exceeded £1.9 billion ($2.5 billion), making it the most expensive cybersecurity breach in British history. The attack was linked to outsourced IT services, underscoring the supply chain dependency that has defined every major UK retail breach.

marks-spencer dragonforce
16 min read
Anatomy of a Breach 31 August 2022

Anatomy of a Breach: NHS Advanced and LastPass — A UK Healthcare MSP and a Password Vault Both Compromised

Breach #164. August 2022 brought two significant breaches. On 4 August, Advanced — a managed service provider for the NHS — was hit by ransomware that disrupted NHS 111, the non-emergency health line, as well as patient referral, ambulance dispatch, and out-of-hours GP services across England. Simultaneously, LastPass disclosed that an attacker had breached a developer's account and stolen source code — an initial intrusion that would ultimately lead to the theft of customers' encrypted password vaults (disclosed in December 2022). Both breaches demonstrated that the tools and services organisations trust most — their MSP and their password manager — create the greatest supply chain risk when compromised.

nhs-advanced lastpass
14 min read
Anatomy of a Breach 30 June 2020

Anatomy of a Breach: Blackbaud — The Charity Software Vendor That Exposed UK Universities, NHS Trusts, and Charities

Breach #138. In July 2020, Blackbaud — a cloud computing provider serving nonprofits, charities, and educational institutions — disclosed that ransomware attackers had accessed and exfiltrated customer data before the company detected and stopped the attack. Blackbaud controversially paid the ransom and stated it had received 'confirmation' the data had been destroyed. The breach affected hundreds of organisations worldwide — including UK institutions such as the National Trust, the University of Birmingham, De Montfort University, Young Minds charity, and multiple NHS trusts. Blackbaud later admitted that the breach was more extensive than initially disclosed.

data-breach blackbaud
13 min read
All Posts Get in Touch