MarineMax, a national retailer of boats and million-dollar yachts, reported on March 12 that a "cybersecurity incident" disrupted its operations, according to documents filed with the Securities and Exchange Commission (SEC).
According to the company, unauthorized access to the information systems of the company was gained by a third party. However, the company has not indicated who the threat actor is, or what type of attack occurred, whether it was a ransomware attack or an incident of another nature.
Many of MarineMax's internal systems were rendered unavailable as a result of the attack, which is believed to have started on Sunday, and caused significant delays in customer service, sales, and customer support for MarineMax customers across the country.
There has also been a significant decline in MarineMax dealership sales and service as IT systems deal with the aftermath of the hurricane. In addition to financing approvals, inventory availability, and overall deal progression, many dealerships are reporting problems with the dealership's sales and service processes.
As a result of the attack, MarineMax has not discontinued its operations, but cybersecurity experts were hired to assist in the investigation and law enforcement was also notified. People asked the company if it was dealing with a ransomware attack or another type of cyber incident, but they did not respond to my inquiry.
As the filing indicates, the attack has not materially affected the company's operations. However, officials are still assessing whether it will at some point in the future based on their findings.
Although MarineMax has not responded to questions as to whether data was stolen, it doesn't maintain sensitive data in the environment impacted by the incident, which has mentioned in the filing that these are not stored there.
During a recent cyber attack, MarineMax was subjected to an incident that was deemed a 'cybersecurity incident', as defined in rules provided by the Securities and Exchange Commission. The incident involved the compromise of portions of the company's information environment by an unauthorized party, as detailed in the filing by MarineMax.
The Securities and Exchange Commission recently amended its incident-disclosure rules to require a Form 8-K to be filed within 24 hours of the organization determining a cyber-incident to be material. This means that it has a significant impact on operational performance and could have a potential impact on investors' investments.
Last year, several industry giants faced a cyberattack, including Brunswick Corporation, which manufactures boats and parts for ships, a company that has been in the boating industry since the late 1800s.
An incident that affected the production of marine electronics at a subsidiary of the company in June, that cost the company more than $85 million, was reported by the company. A German manufacturer of luxury yachts and military vessels also came under attack by ransomware over the Easter weekend in 2023, which occurred over the Easter holiday.