TSMC says it recovers 80 percent of capacity after virus shuts down plants

The chipmaker said: "This virus outbreak occurred due to misoperation during the software installation process for a new tool."
Written by Larry Dignan, Contributor

Semiconductor manufacturer TSMC said that it has recovered about 80 percent of its equipment hit by a computer virus on Friday.

TSMC, which makes the processors that power Apple's iPhone, was hit by a computer virus and had to shut down its fabrication plants.

The company said it expects a full recovery on Aug. 6. In a statement, the company said it "contained the problem and found a solution."

News of the TSMC issues were reported on Friday by various outlets. At the time TSMC said that it wasn't a cyberattack that felled its plants.

What is malware? Everything you need to know about viruses, trojans and malicious software | Security 101: Here's how to keep your data private, step by step | Ransomware: An executive guide to one of the biggest menaces on the web | What is phishing? Everything you need to know to protect yourself from scam emails and more

TSMC provided a bit of a post mortem on what happened. The company said:

This virus outbreak occurred due to misoperation during the software installation process for a new tool, which caused a virus to spread once the tool was connected to the Company's computer network. Data integrity and confidential information was not compromised. TSMC has taken actions to close this security gap and further strengthen security measures.

Tech Pro Research ebook: IT leader's guide to cyberattack recovery

According to TSMC, the shutdown will result in shipment delays and additional costs. Two days of outages will hurt revenue by about 3 percent. The company said:

We estimate the impact to third quarter revenue to be about three percent, and impact to gross margin to be about one percentage point. The Company is confident shipments delayed in third quarter will be recovered in the fourth quarter 2018, and maintains its forecast of high single-digit revenue growth for 2018 in U.S. dollars given on July 19, 2018.

Here's a look at the TSMC guidance from July 19.


Customers have been notified of the event and TSMC added that it will work closely with them on deliveries. Customers will be told individually how their wafer orders were impacted.

Research: Employee compliance is the main challenge to implementing cybersecurity strategy | Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness | Information security policy

There are a few nuggets in TSMC's annual report worth noting. For starters, the company's customer base is concentrated. TSMC said:

Over the years, our customer profile and the nature of our customers' business have changed dramatically. While we generate revenue from hundreds of customers worldwide, our ten largest customers in 2015, 2016, and 2017 accounted for approximately 63%, 69% and 67% of our net revenue in the respective year. Our largest customer in 2015, 2016, and 2017 accounted for 16%, 17% and 22% of our net revenue in the respective year. Our second largest customer in 2015 and 2016 accounted for 16% and 11% of our net revenue in the respective year. In 2017, our second largest customer accounted for less than 10% of our net revenue.

And the comapny also talked about cybersecurity in its annual report:

Even though we have established a comprehensive Internet and computing security network, we cannot guarantee that our computing systems which control or maintain vital corporate functions, such as our manufacturing operations and enterprise accounting, would be completely immune to crippling cyber attacks by any third party to gain unauthorized access to our internal network systems, to sabotage our operations and goodwill or otherwise. In the event of a serious cyber attack, our systems may lose important corporate data and our production lines may be shutdown indefinitely pending the resolution of such attack. While we also seek to annually review and assess our cybersecurity policies and procedures to ensure their adequacy and effectiveness, we cannot guarantee that we will not be susceptible to new and emerging risks and attacks in the evolving landscape of cybersecurity threats.
Editorial standards