Recently, Lawson Products, Inc. confirmed that the company experienced a data breach after an unauthorized party gained access to sensitive consumer data contained on the network. According to Lawson Products, the breach resulted in the following data elements being compromised: names, addresses, Social Security numbers, driver’s license numbers, state-issued identification numbers, passport numbers, as well as financial account information and medical information. On July 14, 2022, Lawson Products filed official notice of the breach and sent out data breach letters to all affected parties.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Lawson Products data breach, please see our recent piece on the topic here.
What We Know About the Lawson Products Data Breach
According to an official notice filed by the company, on February 8, 2022, Lawson Products became aware of a cyber incident affecting its computer network. In response, the company secured its network and engaged the assistance of a cybersecurity firm to investigate the incident.
On February 16, 2022, the company’s investigation revealed that certain confidential information—including sensitive consumer information—was accessible to an unauthorized third party.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, Lawson Products then reviewed the affected files to determine exactly what information was compromised. While the breached information varies depending on the individual, it may include the following data types:
-
Name,
-
Address,
-
Social Security number,
-
Driver’s license number,
-
State-issued identification number,
-
Passport number,
-
Financial account information (bank account numbers, credit card numbers, debit card numbers, etc.), and
-
Medical information.
On July 14, 2022 Lawson Products began sending out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Lawson Products, Inc. is a manufacturer, distributor and retailer based in Chicago, Illinois. Lawson Products deals in a range of hardware, such as hardware and tools such as abrasives, automotive tools, chemicals, cutting tools, fasteners, welding tools and hand tools. Lawson Products primarily caters to small businesses, although the company also maintains an online retail store. Lawson Products employs more than 1,840 people and generates approximately $417 million in annual revenue.
As of an April 2022 merger, Lawson Products is now a wholly owned subsidiary of Distribution Solutions Group. Distribution Solutions Group is comprised of Lawson Products, Inc., Gexpro Services, and TestEquity, and is publicly traded on the NASDAQ under the ticker symbol “DSGR.”
What Could Have Led to the Lawson Products / Distribution Solutions Group Data Breach?
While Lawson Products, Inc. provided limited information about the breach in the data breach letter sent to affected parties, the company did not explain how the unauthorized party was able to access the company’s network or what type of cyberattack was used. However, there is a possibility that the company was targeted because it was in the process of going through a significant merger earlier this year.
When cybercriminals think about which companies to target, they consider a range of variables. However, ransomware groups, in particular, have been known to target companies that are in the process of a merger or acquisition. In fact, according to an FBI news release from November 2021,
The FBI assesses ransomware actors are very likely using significant financial events, such as mergers and acquisitions, to target and leverage victim companies for ransomware infections. Prior to an attack, ransomware actors research publicly available information, such as a victim’s stock valuation, as well as material nonpublic information. If victims do not pay a ransom quickly, ransomware actors will threaten to disclose this information publicly, causing potential investor backlash.
The idea is that cybercriminals hope to identify companies that are at a critical point and exploit the fact that the company will want to avoid ruining the deal based on bad press associated with a data breach. Thus, in the cybercriminals’ minds, a company is more likely to pay a ransom.
However, the FBI “does not encourage paying a ransom to criminal actors” because doing so “emboldens adversaries to target additional organizations, encourages other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.”
Understanding the risks that mergers and acquisitions pose, the FBI encourages companies that are going through a merger or acquisition to take certain steps to ensure the safety of consumer data contained on their networks:
-
Back up all critical data;
-
Ensure copies of critical data are uploaded to the cloud or downloaded to an external hard drive;
-
Secure back-ups to ensure data is not accessible from the system where the original data resides;
-
Install and regularly update anti-virus or anti-malware software on all hosts;
-
Only use secure networks and avoid using public Wi-Fi networks;
-
Use two-factor authentication for user login credentials;
-
Use authenticator apps rather than email because cybercriminals may be in control of employee email accounts;
-
Do not click on unsolicited attachments or links in emails; and
-
Implement least privilege for file, directory, and network share permissions.
Of course, neither Lawson Products nor Distribution Solutions Group has confirmed that the February 2022 data breach was related to the pending merger. However, it is a possibility that data breach lawyers are investigating.