Cold storage and logistics giant Americold has confirmed that over 129,000 employees and their dependents had their personal information stolen in an April attack, later claimed by Cactus ransomware.
Americold employs 17,000 people worldwide and operates more than 24 temperature-controlled warehouses across North America, Europe, Asia-Pacific, and South America.
The April network breach led to an outage affecting the company’s operations after Americold forced it to shut down its IT network to contain the breach and “rebuild the impacted systems.”
Americold also told customers via a private memo issued after the attack to cancel all inbound deliveries and reschedule outbound shipments, except for those deemed critically time-sensitive and nearing expiration.
In notification letters sent on December 8 to 129,611 current and former employees (and dependents) affected by the data breach, the company revealed the attackers were able to steal some data from its network on April 26.
“Based on the comprehensive data analysis that was performed and ultimately completed on November 8, 2023, we were able to determine what information was affected and to whom the information related. As a result of this review, it appears that some of your personal information may have been involved,” the letters read.
Personal information stolen by the attackers includes a combination of name, address, Social Security number, driver’s license/state ID number, passport number, financial account information (such as bank account and credit card numbers), and employment-related health insurance and medical information for each affected individual.
Another cyberattack hit Americold in November 2020, impacting its operations, phone systems, email services, inventory management, and order fulfillment.
While multiple sources told BleepingComputer at the time that the 2020 breach was a ransomware attack, the company has yet to confirm it, and the ransomware group responsible for the November 2020 attack remains unknown.
April attack claimed by Cactus ransomware
Even though the company didn’t connect the April 2023 incident to a specific ransomware operation, the Cactus ransomware operation claimed the attack on July 21.
The gang also leaked a 6GB archive of accounting and finance documents allegedly stolen from Americold’s network, including private and confidential information.
The ransomware group also plans to release human resources, legal, company audit information, customer documents, and accident reports.
Cactus ransomware is a relatively new operation that surfaced in March this year with double-extortion attacks, first stealing data to use as leverage in ransom negotiations and then encrypting compromised systems.
An Americold spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.