Cyber Incident Victim: Berlin Packaging

On April 28, 2023, Berlin Packaging filed a formal notice of a data breach with the Massachusetts Office of Consumer Affairs and Business Regulation. This filing was the public result of the company's discovery that a recent cyberattack had compromised confidential human resources information residing on its computer network. The company's official filing indicated that the security incident permitted an unauthorized party to gain access to sensitive consumer data. The specific types of information exposed in the breach included individuals' names, Social Security numbers, financial account information, and driver's license numbers. The compromised data was characterized as human resources information, indicating the affected individuals were likely current or former employees rather than external customers.

Upon confirming that sensitive consumer data had been accessed and exfiltrated by an unauthorized actor, Berlin Packaging initiated a process to review the affected files. The purpose of this review was to determine the precise scope of the information that was compromised and to identify all the specific consumers who were impacted by the event. The company determined that the exact set of breached information varied from individual to individual, but the compromise consistently involved a combination of the highly sensitive personal identifiers listed in the filing with the Massachusetts authorities. The compromised financial account information represents data that could be directly used for fraudulent transactions or identity theft.

In direct response to the confirmed data leak, Berlin Packaging began sending out individualized data breach notification letters to all persons whose information was involved in the security incident. These letters were mailed on April 28, 2023, coinciding with the regulatory filing. Each letter served to inform the recipient that their personal data had been exposed and explained that a dedicated assistance line had been established for affected individuals to call for more information about the event. As a remedial measure for the potential harm caused, Berlin Packaging offered all victims of the breach 24 months of complimentary credit monitoring services to help detect any potential misuse of their information.

Publicly available information regarding the nature and cause of the Berlin Packaging breach was limited at the time of the filing. The primary source of information was the company's own submission to the Massachusetts Attorney General's Office. The filing did not provide extensive details about the breach's mechanics, such as the specific attack vector used by the threat actors, the duration of their access within the network, or the exact timeline of the intrusion and its subsequent discovery. The company had not yet posted an official notice of the incident on its corporate website, further limiting the dissemination of information to the public and potentially affected parties beyond those who received direct mail notifications.

Berlin Packaging is a significant global entity in the packaging industry. Founded in 1988 and headquartered in Chicago, Illinois, the company manufactures packaging for a wide array of sectors, with a particular focus on serving customers in the beverage, food, personal care, pharmaceutical, household care, industrial, and coatings industries. Its operational footprint is extensive, with more than 130 sales offices distributed across the United States, Italy, Spain, Germany, Canada, France, the Netherlands, Denmark, Greece, the United Kingdom, China, and South Africa. The company employs over 2,200 people and generates an estimated $2.5 billion in annual revenue. The compromise of human resources information suggests the attackers successfully infiltrated systems containing data on this substantial employee base. The incident underscores the significant risk posed to large organizations that maintain vast repositories of sensitive employee data, which are attractive targets for cybercriminals. The company's response, including its regulatory compliance and offer of credit monitoring, represents a standard course of action following the confirmation of a data security incident involving personal identifiable information.