Cyber Incident Victim: Nucor Corporation

On May 26, 2023, Nucor Corporation, a commercial entity headquartered at 1915 Rexford Rd, Charlotte, North Carolina, 28211, began experiencing an external system breach. The unauthorized access to its systems continued for several days, concluding on June 1, 2023. The incident was identified and discovered by the company on June 3, 2023, two days after the final date of the breach activity. The nature of the incident was classified as an external system breach resulting from hacking. The breach resulted in the acquisition of personal information belonging to a total of 8,824 individuals. Among those affected, two were identified as residents of the state of Maine. The specific information acquired during the breach included the name or other personal identifier of the affected individuals in combination with other data elements, though the precise combination of data fields was not detailed in the public notification.

In response to the discovery of the breach, Nucor Corporation engaged legal counsel to manage the incident response and notification process. The company worked with the law firm Moore & Van Allen PLLC, with attorney Suzanne Gainey acting as the submitter of the breach notification to the Maine Attorney General's office. The contact information provided was a telephone number, (704) 331-3559, and an email address, [email protected]. The relationship to the entity whose information was compromised was listed as attorney. The company undertook an investigation to determine the full scope and impact of the security incident. This investigation would have included forensic analysis to understand the attack vector, the systems accessed, and the specific data exfiltrated by the threat actor.

Nucor Corporation determined that written notification was the appropriate method for informing affected consumers of the breach. The company proceeded to organize the logistics of this mass communication. The date set for the consumer notifications was June 30, 2023, nearly a full month after the breach began and approximately three weeks after its discovery. This timeframe is consistent with the period required to complete a forensic investigation, identify all affected individuals, and prepare the necessary mailing materials. A sample of the notice letter to affected Maine residents was provided to the Maine Attorney General's office as part of its filing, titled "Sample Notice Letter - Nucor Corporation.pdf". The contents of this specific letter were not detailed in the public posting.

As a protective measure for the individuals whose personal information was acquired, Nucor Corporation offered complimentary identity theft protection services to all affected persons. The provider of these services was Equifax, and the specific product offered was Complete Premier. The company committed to providing this credit and identity monitoring service for a duration of 24 months, or two years. This service typically includes features such as credit monitoring at all three major bureaus, identity theft insurance, and assistance with fraud resolution. The offering of such services is a common practice intended to help affected individuals detect and respond to potential misuse of their personal data following a breach. The breach notification confirmed that no previous breach notifications had been issued by the entity within the 12 months preceding this incident. The impact of the breach was confined to the compromise of personal data, and there was no indication provided of any broader operational disruption to Nucor's industrial manufacturing activities.