Bandwidth.com expects to lose up to $12M following DDoS extortion attempt

Bandwidth Inc. expects to lose between $9 million and $12 million because of service downtime caused by a series of DDoS attacks the company dealt with during late September and early October this year.

The attacks, which the company said it had fully mitigated since October 5, were part of a DDoS extortion campaign that targeted several VoIP providers across the globe.

The attackers tried to obtain money from Bandwith Inc. by attacking its Bandwidth.com portal, through which the company provided on-demand server infrastructure to smaller VoIP telephony providers.

In a document filed with the U.S. Securities and Exchange Commission last week, Bandwidth said the attacks were large enough to put a dent in its Q3 revenue of $0.7 million, along with bigger losses expected by the end of the year.

"Based on preliminary usage data and currently known information, the company estimates that the impact of the DDoS attack may reduce CPaaS revenue for the full year of 2021 by an amount between $9 million and $12 million, inclusive of the aforementioned $0.7 million revenue impact in the third quarter," Bandwidth said.

The company plans to discuss the attack and its impact on revenue in an earnings call on November 8, next week.

The SEC documents filed last week offer a rare glimpse into the aftermath of DDoS attacks, many of which are often ridiculed as being the work of non-sophisticated threat actors. However, when attacks are timed and coordinated for maximum impact, Bandwidth's filing shows that they can a severe impact on a company's bottom line, especially when attackers target cloud providers that either charge by the hour or need to maintain a nearly perfect uptime otherwise they incur penalties based on ongoing contracts.