Cyber Incident Victim: City Furniture

On September 13, 2022, City Furniture, Inc. publicly confirmed a data breach involving unauthorized access to sensitive consumer data stored on its network. The Tamarac, Florida-based furniture retailer filed formal notice of the incident with the Massachusetts Office of Consumer Affairs and Business Regulation, though the exact timeline of the breach—including when the intrusion occurred or when City Furniture discovered the compromise—remained undisclosed. While the company did not explicitly confirm the specific categories of exposed information, Massachusetts breach notification requirements indicate the incident likely involved consumer names combined with at least one of the following data elements: Social Security numbers, driver's license or state identification numbers, or financial account information including credit/debit card details. City Furniture initiated consumer notifications on the same date as its regulatory filing, dispatching data breach letters to all affected individuals whose personal information was potentially accessed during the security incident. The notification letters did not disclose technical details about the attack methodology, scope of network access, or number of impacted consumers, nor did they specify whether the breach affected in-store systems, e-commerce platforms, or both channels of the retailer's operations.

City Furniture, which operates through 20+ Florida locations and an online sales platform, reported annual revenue of approximately $509 million with a workforce exceeding 2,415 employees at the time of the breach. The company's response included offering affected consumers 24 months of complimentary credit monitoring services, a common remediation strategy following exposure of sensitive personal data. The breach notification emphasized risks of identity theft and financial fraud stemming from potential misuse of the compromised information, particularly given the high sensitivity of the suspected data types. No information was provided regarding containment measures, forensic investigation outcomes, or whether law enforcement agencies were involved in investigating the incident. The Massachusetts filing represented the primary public documentation of the breach, as City Furniture did not release additional statements detailing operational impacts, system restoration processes, or specific security improvements implemented post-incident.