Naked Security Naked Security

Investors accuse FedEx of lying, stock dumping after NotPetya attack

This is the second such suit, with shareholders asking why execs sold $40m+ of their shares while downplaying the ransomware attack.

Shareholders are suing FedEx execs for allegedly dumping stocks and lying about the extent of damage caused by the attack of NotPetya encrypting ransomware.

The complaint, filed last week in the US state of Delaware, accuses the shipping giant and its head honchos of giving “materially false and misleading statements” about the damage inflicted by the infection on FedEx’s European subsidiary TNT Express in June 2017.

At the time, we gave a detailed teardown of the malware, plus an analysis of its devastating worm-ransomware and disk-disabling behavior.

Besides FedEx/TNT Express, other large companies hobbled by NotPetya included British consumer products company Reckitt Benckiser, chocolate maker Mondelez, advertising group WPP, shipping giant Maersk, and Nuance Communications.

This isn’t the first NotPetya-spawned lawsuit. FedEx was hit with a similar lawsuit in July 2019, when shareholders accused the package giant of making “false and misleading” statements about minimal impacts on TNT; about recovery being on track; about the anticipated costs and timeframe it would take to integrate and restore the TNT network; and for allegedly failing to disclose important details of TNT’s deteriorating business, including slowed down overall package volume growth, an increased shift in product mix from higher-margin parcel services to lower-margin freight services, and more.

According to the lawsuit filed in July, as a result of the true extent of the damage becoming public, FedEx stock dropped over 12%.

Following the TNT attack, FedEX said that while its operations and communications systems were disrupted, it didn’t lose any data, and other FedEx companies were unaffected. It also halted trading of its shares on the New York Stock Exchange. A few months later, FedEx announced a $300m loss because of the attack.

Downplayed the damage?

That wasn’t enough, shareholders are now arguing. The executive team downplayed the extent of the damage, they claim. The suit names 19 FedEx execs, 10 of whom sold shares that netted them profits totaling more than $40m.

From the stockholder derivative complaint:

The Individual Defendants participated in the issuance and preparation of materially false and/or misleading statements by FedEx, including press releases and SEC filings. Because of the Individual Defendants’ positions with FedEx, they were aware of the adverse material non-public information about the business of FedEx, as well as its finances, markets, and present and future business prospects, via access to internal corporate documents, conversations and connections with other corporate officers and employees, attendance at management and/or Board meetings and committees thereof, and via reports and other information provided to them in connection therewith.

According to the complaint, investors didn’t understand the full extent of FedEx’s “misrepresentations and omissions” about TNT until 18 December 2018, when it reported a big profit miss due to lower package volumes in Europe, as customers fled to competitors – permanently.

Other companies victimized by NotPetya have also jumped into lawsuits. In January 2019, Mondelez, the US company that makes Oreo cookies and Cadbury chocolates, sued its insurance company, Zurich, which had declined to pay its $100m claim for NotPetya damage. Zurich had deemed the attack “a hostile or warlike action”, and, as such, excluded from coverage.

Leave a Reply

Your email address will not be published. Required fields are marked *