JBS’s cybersecurity was unusually poor prior to 2021 ransomware attack, internal homeland security records show

A May 30, 2021, ransomware attack on JBS, one of the world’s largest meat companies, disrupted the company’s operations internationally and ended when the company paid an $11 million ransom to Russian hacker group REvil. 

While food production companies are potentially lucrative targets for cyberattacks, JBS was poorly protected against them compared to similar companies, according to cybersecurity experts.

The food and agriculture industry is designated as a Critical Infrastructure Sector by the U.S. Department of Homeland Security, meaning its “incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety.”

The whole industry is vulnerable to attacks like the one on JBS — and they happen quietly and often, according to John Hoffman, senior research fellow at the Food Protection and Defense Institute at the University of Minnesota. 

In the aftermath of the JBS ransomware attack, a representative of cybersecurity risk management firm BitSight told national security officials that JBS had “many many issues” with its computer system.

“Overall rating was poor and outside the typical range for Food Production companies,” wrote BitSight Vice President Jake Olcott in a June 2, 2021, email to Jeffrey Greene, who served as the National Security Council chief of cyber response and policy at the time. 

The emails obtained by Investigate Midwest via a public records request shed light on the federal government’s and private industry’s response to the JBS attack. 

“We’ve observed a massive number of malware infections on JBS over the last year (including Conficker),” Olcott wrote in the email. “JBS has been…