There was good news coming out of Estes Express on Friday as it concluded a full workweek severely hampered by a cybersecurity breach.
Estes, in a brief statement for the media and in an email sent to its customers and obtained by FreightWaves, said it was making progress in its “core systems.”
Estes is “excited to announce we’ve made steady progress on bringing many parts of our IT systems back online,” it said in the email.
And in the media statement, Estes said it was “pleased to report that many of our core systems are once again operational following the implementation of additional security measures. Our team has been working tirelessly 24/7 and will continue work to bring our remaining systems back up securely and safely.”
Cyberattacks turn the day-to-day routines of workforces upside down. Estes, in its media statement, said, “All of this including our ability to continue serving our customers through this attack, is because of the resiliency, collaboration and ingenuity of our team. Despite the impact this has had on Estes’ system, there has not been a moment when we were unable to move freight or support our employees’ livelihood.”
The LTL carrier’s email spelled out several specific gains the company has made so far in its efforts to climb back from a cybersecurity attack that took down virtually all the company’s technology capabilities. News of the cybersecurity attack first broke overnight Sunday into Monday.
Estes’ bullet points of gains made so far that were in the email:
- It was “back online with our core operations system to cut freight bills, updated PROs, create manifests and effectively manage equipment.”
- It was getting Excel files of pickups from its electronic data interchange partner “so that we can show up when you expect us to pick up your freight.”
- It was trying to restore normal EDI activities “as a next major step.”
- Estes employees — 22,000, according to the email — are going to get paid this week as the payroll systems were able to run successfully.
“We’re diligently working to complete restoration on all of our systems and will keep you updated on our continued progress,” the email said.
Estes did not feature the progress report on its feed on X, the former Twitter. It has taken to that forum to keep the market apprised of its status.
The Estes email regarding progress came on the same day that a leading Wall Street analyst tried to put financial numbers on the economic hit the privately held company was taking from the cybersecurity attack.
The transportation research team at Deutsche Bank led by Amit Mehrotra, in its daily blast email, had commented earlier in the week regarding the impact the Estes cyberattack might be having on the company, as well as speculating that it might drive some traffic over to other LTL carriers.
In a brief report on Estes Friday, Deutsche Bank said it believes “this week’s developments are offering real-time benefits to other LTL carriers, as Estes customers seek alternative capacity.”
Its estimate is that Estes processes about 40,000 shipments per day.
“We don’t think market participants are appreciating the positive impact this can have on public LTL players,” the Deutsche report said. “While it remains possible for Estes to get back online, the fact that the company is still offline after five days points to the severity of the issue, in our view.”
There was no obvious reaction in the price of publicly traded LTL carriers to the Estes news, except possibly at Old Dominion. As of approximately 1:15 p.m. Friday, its stock was near $412.60, up from a price of about $407 in early trade Tuesday. The stock of Saia (NASDAQ: SAIA) was up a small amount during the week; ArcBest (NASDAQ: ARCB) fell slightly.
Deutsche also tried to estimate the size of the financial hit Estes is taking. It started with a few base assumptions: Estes had about $4.4 billion in revenue last year, with about a 10% operating margin, for $440 million in operating profits. That figure would have been headed to $350 million for 2023, presumably given the slower market but before the cyberattack, Deutsche said.
“If we assume Estes receives about $300 of revenue per shipment, this would translate to $12 million per day or $60 million per week. So, each week’s revenue equals 15-20% of full-year expected profits,” Deutsche wrote. It assumes Estes is able to meet some of its obligations, so revenue isn’t dropping to zero.
Estes has been in the news recently as it filed a successful stalking horse bid for terminals offered into the market by the bankrupt Yellow Corp. That bid came in at $1.525 billion.
There may end up being a link between the cybersecurity attack and the bid, Deutsche suggested. “The longer this goes on, the more painful it becomes,” the investment bank wrote. “It also opens up valid questions on the viability of its bid for Yellow’s terminals, which have positive implications for the next highest bidder, Old Dominion Freight Lines” (NASDAQ: ODFL).
Watching everything that is going on with Estes is Antwan Banks, who earlier this year joined the National Motor Freight Traffic Association as its director of enterprise security. Cybersecurity is at the top of his focus list.
Coincidentally, given the Estes cybersecurity breach, the NMFTA is holding a conference on cybersecurity later this month in Houston.
Banks, in an interview with FreightWaves, said he did not want to say that the Estes cybersecurity breach is “par for the course, but I’m used to this. I’m not cavalier about it but it is just a part of doing business in our current times.”
Banks said he had no first-person knowledge of how Estes got into its current situation. But based on past experience in the industry, he guessed it was through “phishing,” which could have taken the form of somebody sending an email with an attachment that when opened allowed the cyberattacker to get into the Estes system.
Banks spoke to FreightWaves before the Friday email about progress at Estes. But he said in general, a company with “good backups and they’ve tested their backups, they can be back up fairly quickly.”
But Banks added that a thorough rebuild could take as much as a month.
Banks offered up a sobering observation: The attacker may have been in the Estes system for a while, as much as six months, laying the groundwork for an attack.
Banks will be presenting at the Houston conference. And he said that he’s going to be “preaching to do tabletops,” which is basically a dry run of what a company should do in the event of a cybersecurity breach.
Some of the questions that should be addressed and answered in the tabletop, Banks said, are: “Who do they need to coordinate with as far as local authorities? Do they have some to speak to the public because I’m assuming the public has been calling them and either they can ignore them or have a spokesperson to take those calls.”
He also cautioned other companies not to gloat or be complacent about Estes’ plight. It’s a phrase heard in cybersecurity circles a lot: “Sooner rather than later” is likely the fate of most companies, Banks said.
More articles by John Kingston
Truck transportation employment ranks rebound
XPO’s Jacobs on his next venture: Wait and see
Broker dodges liability in $18 million verdict, had no control over carrier