Furniture giant shuts down manufacturing facilities after ransomware attack

One of the largest furniture companies in the U.S. was forced to shut down its manufacturing facilities following a ransomware attack that began last week.

Bassett Furniture Industries said it shut down some of its information technology systems after it discovered unauthorized access on July 10. 

The hacker “disrupted the Company’s business operations by encrypting some data files” and forced the company to activate its incident response plan, the company said in a regulatory filing Monday. 

“As a result of the Company’s containment measures, which included shutting down some systems, the Company has not been, and, as of the date of this Report is not operating its manufacturing facilities,” Bassett Furniture said in an 8-K filing with the Securities and Exchange Commission. 

“The Company’s retail stores and e-commerce platform are open, and customers are able to place orders and purchase available merchandise; however, the Company’s ability to fulfill orders is currently impacted.”

Company officials are working to bring impacted systems back online and implement workarounds in order to reduce the disruption. 

Unlike many of the 8-K filings companies have submitted to the SEC following cyberattacks, Bassett Furniture admitted that the attack “has had and is reasonably likely to continue to have a material impact on the Company’s business operations until recovery efforts are completed.”

They are still unsure of whether it will “materially” impact the company’s financial performance. 

No ransomware group has come forward to take credit for the incident as of Tuesday afternoon. 

With nearly 90 stores across the U.S., Bassett Furniture is one of the largest manufacturers and marketers of furniture in the country. On the same day of the ransomware attack, the company reported a 17% decrease in revenue for the second quarter of 2024 compared to last year. 

The attack comes as the tempo of 8-K filings to the SEC about cybersecurity incidents continues to increase precipitously. Controversial rules requiring companies to quickly disclose financially “material” cybersecurity incidents took effect for most companies on December 18, but smaller companies were given an extra 180 days to comply.

The rules immediately caused outrage from companies and lawmakers who questioned what the SEC meant when using the term “material cybersecurity incident” in light of the endless barrage of cyber intrusions most large organizations face on a daily basis.

Since the rules took effect, nearly all of the filings have claimed cyberattacks did not have a “material” effect on the company’s bottom line, even though several companies later acknowledged significant financial losses due to incident recovery costs or operation shutdowns. 

This week, both insurance company UnitedHealth and a car dealership company have reported significant financial impacts caused by cybersecurity incidents.