Maersk 2017: When a Cyberattack Stopped Global Shipping
Situation
It is June 2017. A.P. Møller-Maersk — the world's largest container-shipping company, carrying a large share of global seaborne trade — is hit by NotPetya, among the most destructive cyberattacks in history.
NotPetya masqueraded as ransomware but was really a "wiper": it didn't lock files to extort a payment — it destroyed them irrecoverably and spread automatically and explosively across networks. Maersk wasn't even the target; it was collateral damage in a state-linked attack aimed at Ukraine (delivered via compromised Ukrainian tax software). But the effect on Maersk was total. Within hours, essentially every Windows machine across Maersk's global operations went dark.
The consequences cascaded instantly:
- Systems for booking cargo, operating port terminals, tracking containers, and coordinating ships — gone.
- At major terminals worldwide, gates froze and trucks backed up; containers couldn't be processed.
- A company that moves a meaningful fraction of the world's goods suddenly had no functioning IT whatsoever.
This is not just a corporate IT crisis — it's a hit to a piece of critical global infrastructure, with ripple effects through countless supply chains.
The decision moment
It is June–July 2017, in the thick of the attack. Maersk's leadership faces simultaneous decisions:
- Improvise to keep cargo moving + rebuild IT from scratch fast + be radically transparent. Throw everything at keeping ports and ships physically operating through manual workarounds and sheer human improvisation (paper, phones, WhatsApp, personal devices), while mounting an all-out effort to rebuild the entire global IT estate in days — and communicate openly with customers and the public about what happened and the recovery timeline. Painful and exposing, but it preserves trust, keeps the physical network alive, and treats the breach as a resilience problem to be solved in the open.
- Downplay and conceal the attack. Minimise public disclosure to protect the brand and avoid spooking customers and markets, while quietly rebuilding. Protects short-term image — but in a crisis affecting global trade, opacity erodes trust fast, leaves customers blind, and looks far worse if the scale leaks anyway.
- Wait for clean restoration before resuming. Hold operations until IT is properly rebuilt and verified, prioritising a safe restart over a chaotic improvised one. Cleaner, but in shipping, stopping is catastrophic — ships and cargo can't simply pause; the physical network must keep moving even on manual rails.
You are Søren Skou and Maersk's leadership.
Key datapoints (for reference)
| Metric | Value |
|---|---|
| Attack | NotPetya wiper malware, June 2017 |
| Nature | Destructive (not ransomware); state-linked; Ukraine-targeted |
| Impact on Maersk | Essentially all Windows systems wiped globally within hours |
| Operational effect | Booking, terminals, tracking, coordination — all down |
| Recovery feat | Rebuilt ~thousands of servers / tens of thousands of devices in ~10 days |
| Lucky break | A single surviving domain controller (offline by chance in Ghana) |
| Continuity | Manual workarounds kept much cargo physically moving |
| Estimated cost | ~$250–300 million |
| Response posture | Transparent communication; treated as resilience lesson |
Frameworks invoked
- Cyber Risk as Single Point of Failure. A homogeneous, interconnected IT estate (all Windows, flat network) meant one self-propagating wiper could take down everything at once. The vulnerability wasn't any single weak machine — it was the lack of segmentation and the monoculture that let the blast radius become global. Resilience requires assuming breach and limiting blast radius, not just preventing intrusion.
- Recoverability over Prevention. You can't prevent every attack — especially collateral damage from a state-grade wiper. What saves you is how fast you can recover: backups, redundancy, and the ability to rebuild. Maersk's recovery famously hinged on a single domain controller that survived by luck (offline in Ghana during a power cut) — a near-miss that underscores how thin the margin was, and why deliberate, tested recoverability matters.
- Operational Continuity / Manual Fallback. When the digital layer vanishes, the physical business must keep running. Maersk's people improvised with phones, paper, and personal devices to keep ports and ships moving. The lesson: critical operations need a degraded-mode plan so the company survives with no systems at all, even if inefficiently.
- Transparency in Crisis. Maersk chose to be unusually open about the attack and recovery. For critical infrastructure, candour preserves trust, helps customers plan, and turns a humiliating event into a credibility-building (even industry-educating) one. Concealment, by contrast, compounds reputational damage when the truth emerges.
Discussion questions
- Maersk's recovery partly depended on a single server that survived by sheer luck. What does that say about the difference between a company that prevented disaster and one that merely avoided it — and how do you engineer away that luck?
- The vulnerability was a homogeneous, flat IT estate. Why do efficiency and standardisation (one OS, one network) so often trade off against resilience, and how should a company balance them?
- Maersk chose transparency about a deeply embarrassing attack. When is openness about a breach the right call, and when might disclosure do more harm than good?
- Critical operations kept moving on manual workarounds. How much should a company invest in "degraded mode" continuity for an event that might never happen?
- NotPetya was collateral damage — Maersk wasn't even the target. How should companies think about systemic, geopolitically-driven cyber risk they didn't invite and can't control?
The real outcome (revealed at session end)
June–July 2017: NotPetya wipes essentially all of Maersk's global Windows systems within hours. Terminals seize up; the company that moves a fraction of world trade is running blind. Maersk's response becomes a celebrated case study in resilience:
- Manual improvisation keeps a remarkable amount of cargo physically moving — staff coordinate by phone, WhatsApp, and paper.
- An all-out IT rebuild reconstructs roughly 4,000 servers and tens of thousands of devices in about ten days. Recovery crucially depended on a single domain controller that happened to be offline (in Ghana, during a power outage) and thus survived to seed the rebuild — a stroke of luck Maersk openly acknowledged.
- Leadership chose transparency, communicating openly about the attack and recovery.
The episode cost Maersk an estimated $250–300 million, and — alongside the broader NotPetya event (one of the costliest cyberattacks ever) — became a defining lesson in cyber resilience for global business. Maersk overhauled its IT for segmentation, redundancy, and recoverability.
The lesson: In cyber risk, prevention is necessary but insufficient — recoverability is what saves you. Maersk couldn't have stopped being collateral damage in a state-grade wiper attack, and its survival hinged partly on luck (one surviving server). The durable lessons are structural: a standardised, flat, interconnected IT estate maximises efficiency and blast radius, so resilience demands segmentation and tested backups; critical operations need a manual degraded mode so the physical business survives with zero systems; and transparency turns a humiliating breach into trust preserved. The companies that survive catastrophic cyberattacks aren't the ones that are never hit — they're the ones that can rebuild fast and keep the physical wheels turning while they do.
Sources
- Andy Greenberg, Sandworm (2019) — definitive account of NotPetya and Maersk's recovery.
- Maersk and A.P. Møller-Maersk disclosures and executive talks on the NotPetya recovery.
- Coverage in Wired, Reuters, and the Financial Times of the 2017 NotPetya attack.
- Analyses of NotPetya's total global cost and cyber-resilience lessons.