Taiwan Semiconductor Manufacturing Co. blamed a variant of the 2017 WannaCry ransomware for the unprecedented shutdown of several plants, as it ramps up chipmaking for Apple Inc.’s next iPhones.
Full operations have resumed and the malware will reduce revenue this quarter by no more than 2 percent, down from an initial estimate of roughly 3 percent, Chief Executive Officer C. C. Wei said Monday. The company faces shipment delays from the infection, which happened when a supplier installed tainted software without a virus scan. It spread swiftly and hit facilities in Tainan, Hsinchu and Taichung — home to some of the cutting-edge plants that produce Apple’s semiconductors.
TSMC intends to make up for the lost time as it heads into the critical holiday season, Apple’s most important quarter. But Wei wouldn’t discuss the impact on its customers or where the malware variant may have originated, nor how it made it past the company’s security protocols — a black eye for a corporation that prides itself on its technological and operational superiority. No hacker targeted TSMC, Wei said, explaining that the infected production tool was provided by an unidentified vendor.
“We are surprised and shocked,” Wei told reporters. “We have installed tens of thousands of tools before, and this is the first time this happened.”
The company is overhauling its procedures after encountering a virus more complex than initially thought, he said. Chief Financial Officer Lora Ho said the incident would have some impact on TSMC’s 2018 profit, declining to elaborate beyond an earlier warning that third-quarter gross margins would slip by about a percentage point.
This is the first time a virus had brought down a TSMC facility. Its shares dipped less than 1 percent Monday. The incident underscores the global nature of the technology supply chain, in which companies like Apple and Qualcomm Inc. depend on hundreds of suppliers around the world.
WannaCry spread across the globe in May 2017, rolling through corporations from FedEx Corp. to French carmaker Renault SA and infiltrating Russia’s interior ministry as well as British hospitals. Thought to have emanated from North Korea, it gave victims 72 hours to pay $300 in bitcoin or cough up twice as much, threatening a permanent loss of data. Wei said the variant that infected TSMC didn’t demand a ransom.
The rogue code was ultimately estimated to have infected hundreds of thousands of computers that run Microsoft’s Windows, in thousands of companies in about 150 countries. The ransomware however was considered unsophisticated and was quickly contained.
TSMC had previously forecast revenue of $8.45 billion to $8.55 billion in the September quarter. The company, which also serves Huawei Technologies Co., MediaTek Inc., Nvidia Corp. and Texas Instruments Inc, maintained its 2018 forecast of boosting revenue by high single digits in U.S. dollar terms.
The company again declined to discuss the implications for Apple, which last week surpassed a market value of $1 trillion. The disruption at TSMC comes at a sensitive time for its largest customer, which accounts for more than 21 percent of its revenue. Apple designs the processors that go into its devices, but uses TSMC as its exclusive partner for producing the chips. In the past, the U.S. company has employed foundries owned by Samsung Electronics Co., its rival in global mobile devices.
Apple’s said to be ramping up production of three new iPhone models for this fall, banking on them to continue its recent sales momentum. It’s also planning new iPad and Apple Watch models, devices that have historically used TSMC chips.
The company does prepare for last minute supply-chain hiccups like the one facing TSMC and could work through any potential problems. An Apple spokesperson didn’t respond to a request for comment on Sunday.
A bellwether for the chip industry as well as an early indicator of iPhone demand, Hsinchu, Taiwan-based TSMC heads into its busiest quarters grappling with waning enthusiasm for the high-powered chips used to mine digital currencies. Now it’s also dealing with internal security holes. Cyber crime could cost businesses as much as $8 trillion in damage over the next five years, according to the World Economic Forum.
“We now realize it is not possible for humans not to make mistakes, so now we are inventing a new mechanism that will go online soon. The mechanism doesn’t require human intervention,” Wei said.