I received the latest SANS newsletter on Friday Jul18th – and it had an interesting news story:
UNFI Estimates Financial Impact of June Cyberattack
(July 16 & 17, 2025)
United Natural Foods Inc. (UNFI) has published a press release providing 2025 fiscal information including the estimated impact of operational disruptions and shutdown of the ordering system resulting from a June 2025 cyberattack. "The Company estimates that the cyber incident will impact fiscal 2025 net sales by approximately $350 to $400 million, net (loss) income by $50 to $60 million," apart from "adequate" forthcoming insurance proceeds. UNFI executives stated during a July 16 call with investors that the financial impact is not expected to extend beyond the current quarter. Remediation costs including cybersecurity, legal, and governance consultation, are reportedly estimated to have cost $5M, with another $20M "incurred as the company used manual workarounds."
Editor's Note
[Pescatore]
While often the cost (premiums plus deductible) of “adequate” cyber-insurance exceeds the cost of avoiding most incidents, one benefit is it does drive victims to make public declarations of cost as part of going after insurance payouts. The UNFI financial report has some good numbers to point out to your CIO: UNFI will reduce “capital and cloud expenditures” by 32% in 2025, likely as part of reducing the financial impact of the incident.
[Neely]
While $350-$400 million seems like a big number, UNFI net sales are expected to be about $31.7 billion, which is how you get to the impact not extending beyond the current quarter.
[Murray]
This is the kind of information of interest to investors which the SEC regulation is intended to elicit but often fails to do.
[Dukes]
Validation for why every organization should have cyber insurance. The downside, though, is that cyber insurance premiums are sure to rise across the board. The insurance industry could also do a better job enforcing a minimum cybersecurity baseline that organizations must meet to obtain the policy. Otherwise, we stay in this ‘rinse and repeat’ cyber incident cycle.
Read more in:
- ir.unfi.com: United Natural Foods, Inc. Provides Business Update
- cyberscoop.com: United Natural Foods loses up to $400M in sales after cyberattack
So what does this mean? It means many C-Suites do not understand cybersecurity and the effects. Not only did they lose about $400 mil in sales and about $25 mil in costs but they have not yet been able to count the reputation losses. Think about the money spent on advertising. Every dollar now reminds some customers they failed. Sure with enough time and enough advertising eventually it will come back right? I don’t want to discuss marketing here, but it is not that easy I am sure.
In essence the C-suite does not understand the true implications of a failure in cybersecurity. Prevention and failover costs are well spent if or when it happens, because the reputation cost is higher than you think.
Time to prevent cyber attacks, not wait for them and insure to keep losses down.
Cyber attacks and Cybersecurity never ends but it can be managed!!! go to bottom of this page to learn more.
On May 6th, 2025 the annual DBIR (Data Breach Investigations Report) came out by Verizon!!
Every year Verizon catalogs the number of breaches that occurred with the clients and otherwise information that is available(although the data was reduced this year fro some reason). And it never fails it is always worse this year than last. And even if the numbers do not actually state it is worse, the overall report makes it seem that way. This phenomenon is typical and unfortunate. What should we really look for in these yearly reports? New trends and old trends, i.e. what do we need to focus on with our defense?
Here is the main point on page 85 in the table: System Intrusion, Social Engineering, and Basic Web Application Attacks represent 96% of breaches
“The first thing that is readily apparent is that there are almost four times the number of SMB victims than there are large organizations. This increased difference makes sense due in part to the simple fact that there are more SMBs doing business than there are large organizations. It may also be, to some degree, a byproduct of our contributor bias. It does seem like a rather intuitive finding, though, even if it is not a finding that is particularly encouraging if you are an SMB.”
ON Page 86: “Whereas large orgs see Ransomware only comprising 39% of the breaches, SMBs are experiencing Ransomware-related breaches to the tune of 88% overall. Speaking of adages, “When it rains, it pours” comes immediately to mind. In addition to being terribly dispiriting for SMBs, this finding goes a long
way toward refuting the common misconception that ransomware groups are only targeting large organizations and not bothering with the small fries.
In fact, the data indicates the exact opposite scenario. In brief, ransomware groups don’t seem to care what size an organization is; they are quite happy to
breach smaller organizations and adjust their ransom demands accordingly.
At Fixvirus we always preach good security practices as even a small environment will get hacked since the attackers (criminal hackers) are paid to hack and take advantage of mistakes and possible problems including social engineering and system intrusion attacks. Here at fixvirus we do not focus so much on the negative.. we like to focus on what you can do to prevent attacks.
Basically the 3 essentials: Update, scan for vulnerabilities, train employees social engineering and security policies for the employees.
We spend time and resources only when necessary – within an ethical manner. Ethics in cybersecurity and IT is ultra important, as it drives trust and is needed for some difficult choices at times. Contact Tony Zafiropoulos to discuss how we can help you.
Choose between basic , seems right , and max effort:
Basic – Security Policy outline – 1 external vulnerability assessment
Seems Right – Security Policy Outline and 2 passes (back and forth with client to improve Sec Policy) external vulnerability assessment depends on setup may need onsite visit(at least 1 hour onsite visit) and write 1 report.
Max effort – Security Policy Outline plus 10 passes (or as many as required – discussions and Q&A), as many onsite visits as necessary to fully evaluate and write reports as needed.
It will not take long to make a difference – and now you can spend time on on other matters – to grow business or otherwise.
Your Business. Your Customers. Keep Them Safe Online.