Cyberattack could cost SmileDirectClub $15 million
NASHVILLE, Tenn., U.S.: In May, direct-to-consumer orthodontics company SmileDirectClub (SDC) was the victim of a substantial cyberattack. Numerous parts of SDC’s business were affected, including treatment planning, manufacturing and product delivery, and the company has since downsized its revenue forecast for the second quarter of this year by $10 million to $15 million (€8 million to €12 million).
In a filing with the U.S. Securities and Exchange Commission, SDC said the attack occurred on May 3 and caused a system outage. SDC said that it implemented containment and remediation measures such as temporarily isolating and shutting down the systems that were affected, including SDC’s manufacturing operations. It said that its internal engineering team worked with a leading forensic information technology firm to manage and investigate the incident. “As a result of these efforts, the company was able to successfully block the attack, no ransom was paid, and the company’s systems and operations are back online and performing normally,” the filing read.
In an article on the incident, Forbes said that available information suggested that SDC had not blocked the attack, but rather had managed to interrupt it before it progressed to a more dangerous phase.
“While the company had no data loss from, or other loss of assets as a result of, the incident, including any exposure of customer or team member information, there is no guarantee that such loss will not occur in any future incident. The incident has caused, and may continue to cause, delays and disruptions to parts of our business, including treatment planning, manufacturing operations, and product delivery,” SDC said in the filing. Further investigations are underway, including legal proceedings.
SDC did not issue a press release about the attack but did downsize its expected revenue for the second quarter of this year. Previously, the company had said that it expected revenue for the period to be within the range of $205 million to $215 million. This guidance was revaluated after the attack and SDC now expects revenues of $195 million to $200 million.
“The incident has caused, and may continue to cause, delays and disruptions to parts of our business” – SmileDirectClub
“In light of the cyberattack and the associated business disruption, we are adjusting our revenue expectations for [the second quarter] based on our best estimates of the possible impact,” David Katzman, chairman and CEO of the telehealth company, told analysts in a webcast call. “[We] are estimating approximately a $10 million to $15 million sales impact in the quarter from the cyberattack and the associated downtime we had in treatment planning and manufacturing. We maintain insurance coverage for certain expenses and potential liabilities that may be associated with the attack, and we plan to pursue coverage for all applicable expenses and liabilities,” Katzman stated.
Later in the call, Katzman explained that SDC customers had still been able to use the company’s website after the attack, and SDC’s SmileShop retail chain was not directly mentioned as having been affected. “But what it did was it delayed, for several weeks, treatment planning, impression intake that let customers know whether they have to do another impression, [and] when their impression kits were accepted,” he said.
Katzman added: “Those kinds of things—manufacturing, nothing went out the door—pretty much shut down our manufacturing tendency for over a week.”
SDC’s total revenue for the first quarter of this year was $199 million, an 8% increase on the previous quarter and a 1% year-over-year increase. The company upgraded its substantial 3D-production capacities last year with a second-generation automation platform, on which it is currently producing 70% of all SDC clear aligners.