Wheelie bad end to 2019 for Canyon Bicycles as hackers puncture IT systems

CEO confirms servers, software locked by perps

German cycle-maker Canyon Bicycles GmbH has confirmed it was the victim of a security break-in over the holiday period that has all the hallmarks of a ransomware attack with parts of the infrastructure padlocked by the perpetrators.

The digital burglars gained access to IT systems “shortly before the turn of the year”, the bike maker said in a statement (PDF): “Software and servers were encrypted and thus locked in places.”

The website remained unaffected, meaning that online orders were placed as normal, it added, and that attack had been “identified and stopped” to the best of its “current state of knowledge.”

“The attack shows massive criminal intent,” said Canyon founder and CEO Roman Arnold. “Due to the encryption of our IT infrastructure, work and business processes were temporarily massively affected.”

The Koblenz HQ in west Germany and nearly all of the international operations were directly impacted, with the exception of the US subsidiary because it runs a separate IT system.

Arnold made no reference to ransomware, if a ransom has been demanded, the size of the ransom or if it had been paid. The Register called the UK operations to pose these questions but was told by the head of customer services that no further comment will be made.

“It is a very sensitive business-related matter,” the rep said.

We have also emailed a bunch of questions to the HQ in Germany as no telephone number is available.

The CEO did say that Canyon expects delays to customer orders and delivery in the next few weeks but is making “every effort” to lessen the impact on punters to “get back to normal operations as quickly as possible.”

“We regret this incident very much and apologise that Canyon is currently not able to offer its usual standard of service,” Arnold added.

Since the incident occurred, Canyon said it has worked closely with local and state criminal investigators, and has informed the commissioner for the state of Rhineland-Palatinate. The company said: “Criminal charges will be filed against the perpetrators.”

“Experts from the fields of IT, forensics and cyber security were able to quickly analyse and control the attack and have already initiated solutions and countermeasures,” Canyon added.

Arnold and his brother Franc, who is no longer involved with the business, set up Radsport Arnold GmbH in 1985 as a supplier of bike components, and in 2001 it changed its moniker and became a finished cycle maker.

In 2016, the firm had to apologise for delayed orders and "missing information" for customers after it implemented a new ERP system and opened a new production site in late 2015. ®

Other stories you might like

Biting the hand that feeds IT © 1998–2022