Package Printers Are Ransomware’s Preferred Target

There is a lot of noise in modern society around data, privacy, and security. It seems every week, news of another major breach is made public — leaking personal information, credit card numbers, and other protected information. It has become easier to tune it out or assume it doesn’t apply to printed packaging companies.

That would be a mistake.

Manufacturing companies as a whole have become a greater target for cyberattacks over the past few years, and printed packaging is part of that group. Security expert Christian Quinn, managing principal of Washington, D.C.-based Fulcrum Innovation, cites, “Per IBM’s ‘X-Force Threat Intelligence Index,’ manufacturing is the number one-targeted industry, including extortion (29%) and data theft (24%), targeting financial assets and intellectual property.”

Quinn provides several reasons why packaging manufacturers are especially exposed:

• Packaging often depends on continuous, tight delivery windows with low tolerance for downtime. Business disruptions cascade downstream to customers who can’t ship the product. Threat actors recognize that this makes packaging companies more likely to pay ransoms quickly and for the higher amounts requested.
• Packaging plants often operate with a blend of modern digital systems and legacy industrial equipment. (Think SCADA systems, PLCs, and embedded controllers that were not originally designed with cybersecurity in mind) working alongside newer ERP platforms, digital prepress workflows, and cloud-connected customer portals. That mix of old and new offers vulnerabilities that attackers can exploit.
• Their role in the broader supply chain makes packaging a high-value pivot point. A packaging company that handles sensitive brand artwork, proprietary product specifications, or variable data for consumer brands represents an extremely attractive target for adversaries looking to reach those brands indirectly.

That is a reality that Portland, Oregon, printed packaging manufacturer Rose City Label has taken seriously. The company’s president, Scott Pillsbury, notes, “Sadly, this is a major issue for all businesses these days. It is like having insurance for your property or an OSHA safety program — it is part of the basic cost of doing business.”

While Rose City Label, a PRINTING United Alliance member, doesn’t currently have a direct demand for tight security, it has in the past, and Pillsbury doesn’t believe in letting it slide now.

“In the past, we had some U.S. government contractor work that made us fill out certain surveys and did some compliance auditing,” he notes. “This was mostly around employment practices and safety, but there were some items related to computer security. Currently, it isn’t a direct customer pushing this, but just our own assessment of risk and the need to protect our data. It is like having an alarm system on our building — not foolproof, but we at least must make an honest effort.”

Avenues of Attack

While so-called bad actors can find vulnerabilities almost anywhere to exploit, Quinn explains that for a printed packaging plant, there are a few more common points that should be protected first in any plan to lock down the site’s security.

1. Phishing and social engineering. This, Quinn stresses, remains the most popular initial point of entry into any business, not just package printers.

“A majority of cyber incidents still originate from deceptive emails and calendar invites,” he explains. “This often takes the form of spoofed emails that appear to come from customers submitting files, vendors sending invoices, or equipment suppliers sharing firmware updates. AI has made these attacks dramatically more convincing; the grammatical errors and awkward phrasing that used to serve as red flags are disappearing.”

2. Unpatched devices. Every modern business, regardless of size, location, or what it is producing, is full of networked devices. Presses, RIPs, workstations, mobile phones, MIS/ERP servers … the list goes on. Every one of these is a potential doorway for a hacker to get in, but simply keeping them up to date with the latest security patches can close these entry points, Quinn says.

3. Remote access and VPNs. One of the great benefits of modern technology is the ability to log in to software and equipment from anywhere to perform maintenance, troubleshoot, generate reports, or even allow customers to track the progress of their jobs. But it is also one of the great challenges for security, since, as Quinn notes, “Connections like RDP, VPN, or proprietary remote-access tools are aggressively targeted.”

4. Removable media and/or file transfers. No print business of any kind, much less packaging, can operate without providing clients with a way to send files for processing and creation. It’s part and parcel of the core business, but it is also a potential avenue of attack. Every incoming file could potentially contain a harmful bit of code that gives hackers a proverbial “in.” And since accepting files can’t be eliminated, instead, a robust system of safety checks and scanning needs to be put into place.

5. Unsegmented networks. Finally, Quinn notes, “In many operations, the workstation, the office network, the MIS system, and the press controls all share a flat network. There’s no segmentation between the person checking email and the system controlling a million-dollar press. This means that once an attacker gains a foothold anywhere, they can move laterally to everything.”

Where should printed packaging companies even start, then, to address these potential vulnerabilities? Quinn advises, “Start with employee security awareness training that is role-specific: what a prepress operator needs to know is different from what a front-office administrator needs. Implement multi-factor authentication on every system that supports it. Establish a rigorous patch management schedule. Audit and limit all remote access connections. Segment your network so that a compromised office workstation cannot reach your press controls. And create a formal process for vetting incoming customer files.”

What does this look like in practice? For Rose City Label, it has meant routine investments in systems such as firewall updates, off-site backups, and ensuring Windows updates run on schedule. “These are all the basic stuff that businesses need to do in 2026,” Pillsbury says.

It also doesn’t have to be a massive headache. “You don’t have to be on the bleeding edge, but everyone needs a reasonable security posture to protect the business,” Pillsbury explains. “Your customers, business needs, and specific data requirements may vary. Consult with the professionals — they can help.”

And he has stuck to what works, rather than trying to get creative. Pillsbury says, “There have been no bad investments or trials with fringe technology — we are just doing the basic, best practices. We also pay for Cyber insurance along with our general liability. It is important.”

Fortunately, for Rose City Label, it has worked thus far. Pillsbury notes they haven’t had any incidents or incursions, so he views it more as insurance than as a reactionary measure. “I hate to pay the premiums, but the alternative isn’t smart,” he notes. “We try to stay ahead of the curve and use best practices as recommended by our outside IT professionals.”

But that doesn’t mean it hasn’t happened to other package printers. Quinn explains that one example of an IT breach leading to an OT (operational technology) incident was in 2021.

“Many OT attacks begin as IT breaches,” Quinn details. “Attackers get in through things like a phishing email, a compromised credential, or an unpatched VPN on the business network side, and then pivot into the operational technology environment. The 2021 WestRock incident is an example of IT-to-OT lateral movement in the packaging industry. The ransomware affected both IT and OT systems, shutting down production and packaging-converting operations across numerous facilities. The adversaries didn’t need separate entry points for the OT systems — they got in through the business network and moved laterally because adequate segmentation didn’t exist.”

He continues, “Threat actors recognize that disrupting production creates more urgency to pay than encrypting an email server. Simply making sure default credentials aren’t still in place is an easy starting point. This is a common vulnerability, but it’s not a complicated attack vector — it’s just poor cyber hygiene. Probably the more impactful things a print provider can do to prevent IT-to-OT lateral movement is proper network segmentation, backed by monitoring at the boundary between those environments.”

Where to Even Start

If all of this is concerning, don’t worry. As Pillsbury points out, making the operation more secure doesn’t have to entail massive structural changes or investments. That said, it does require some investment, whether in hardware, software, monitoring, or insurance. In the short term, taking the time to do things like changing the default password on every device that touches the network and enabling multifactor authentication on every device that supports it can be, as Quinn notes, a “low-cost, high-impact” activity.

It is also critical to start with a comprehensive assessment of the entire operation and potential risk points. It is unlikely that any modern business hasn’t engaged in at least some security-related activities, even if only updating firmware. Knowing where holes have been reinforced and where the most critical vulnerabilities are is necessary to know where to start. “You cannot protect what you don’t know you have,” Quinn says.

Longer term, consider investing in more robust systems, such as what Quinn calls “zero-trust architecture”, where no device, user, or even network component is inherently trusted. Every device and user must provide ongoing authentication in this network type to maintain access.

Training is another long-term and ongoing investment. The security landscape changes constantly, and ensuring that both the organization as a whole and all employees who operate within it are up to date on the latest best practices ensures ongoing protection. Just because something is secure today does not mean it will remain secure tomorrow, as technology evolves.

None of this should be something to fear, but it is a reality of today’s business environment. As Pillsbury notes, “I wish we didn’t need all this, and I hope all the investment is for nothing, but I sleep better knowing I am protected. It is the cost of doing business. To be successful, we have to increase revenue, reduce costs, and minimize risk. This falls into the third bucket of important things leaders do.”

“Don’t let the scope of the challenge paralyze you,” Quinn concludes. “Cybersecurity doesn’t have to be an all-or-nothing proposition. Just because you can’t do everything, doesn’t mean you do nothing. Start with the basics and build from there.”