On July 22, 2022, Arhaus reported a data breach stemming from a cybersecurity incident in which an unauthorized party accessed sensitive employee information contained on the company’s systems. According to Arhaus, the breach resulted in the names, driver’s license numbers, Social Security numbers, and financial account numbers of certain employee’s being compromised. After confirming the breach and identifying all affected parties, Arhaus began sending out data breach letters to all affected parties.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Arhaus data breach, please see our recent piece on the topic here.
What Lead Up to the Arhaus Data Breach
According to the official filing by Arhaus recently wrapped up an investigation pertaining to a data security incident that occurred earlier in the year. While Arhaus does not mention the date that it first learned of the breach, the company confirmed that an unauthorized party was able to access certain employee email accounts between March 25, 2022 and May 24, 2022.
Upon learning of the incident, Arhaus enlisted the assistance of cybersecurity professionals to investigate whether any employee data was compromised. On June 24, 2022, the company’s investigation confirmed that sensitive information belonging to some employees was contained in the affected employees’ email accounts.
Upon discovering that employee data was accessible to an unauthorized party, Arhaus began the process of reviewing all affected files to determine what information was compromised and which employees were impacted by the incident. While the breached information varies depending on the individual, it may include your name, driver’s license number, Social Security number, and financial account information.
On July 22, 2022, Arhaus sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
More Information About Arhaus
Arhaus is a furniture and home furnishing store located in Boston Heights, Ohio. Founded in 1986, Arhaus designs and sells a range of products, including outdoor furniture, bedroom furniture, dining tables, desks, and more. The company focuses on sustainably sourcing the materials for its projects and partners with “artisans” from across the globe to create its products. Arhaus operates approximately 70 brick-and-mortar retail stores as well as an online store. Arhaus employs more than 1,740 people and generates approximately $721 million in annual revenue.
How Did Hackers Obtain Arhaus Employee Information?
Based on the statement Arhaus made in its letter to employees who were affected by the recent breach, it appears as though hackers were able to gain access to the company’s computer network through several employee email accounts. Email-based cyber attacks have become more popular over recent years as hackers become more proficient at conducting phishing attacks.
Phishing is the most common way for hackers to obtain an employee’s email account credentials. Once a cybercriminal has access to an employee's email account, they are able to scour all the emails and attachments in the account, looking for sensitive information that could be used to commit identity theft or other types of fraud.
An email phishing attack involves a hacker sending an email to an unsuspecting employee, asking them to either provide their log-in credentials or to click on a malicious link. Of course, to get employees to do what they want, hackers are adept at making the email appear to be real. Often, these emails look like they are sent from seemingly legitimate sources. For example, a hacker may send an email from an Arhaus.net address and use the company’s logo at the bottom of the email.
Hackers are so good at making these fraudulent emails look official that 86 percent of all U.S. companies had at least one employee click on a phishing link in 2021. Given the high success rate of these attacks, it is no wonder why criminals are relying on phishing attacks more than ever. In fact, according to the Identity Theft Resource Center, in 2021, a third of all cyberattacks involved phishing.
Employers have an obligation to protect the data of their employees. And, given the frequency of phishing attacks, they cannot put their heads in the sand when it comes to taking the necessary steps to prevent these attacks. In light of the dramatic increase in email phishing, many employers are now requiring employees to take mandatory email phishing training programs designed to educate them about the risks of phishing and how to detect fraudulent emails that appear to be sent from legitimate sources.