Cyber Incident Victim: Baccarat Hotel

On or around September 1, 2023, the venerable French crystal company Baccarat publicly disclosed it was facing a cyberattack. The disclosure was made via an email statement sent by the company's Chief Executive Officer, Maggie Henriquez, at 4:16 PM that Tuesday. The correspondence was addressed to the firm's customer base, indicating the attack was an active incident that was currently affecting the company's operations. The message stated that as a result of the attack, a portion of the Maison's business activity was constrained, though the specific nature of the operational disruption was not detailed in the announcement.

The official communication from CEO Henriquez was framed as a matter of anticipation and risk prevention. Its primary purpose was to warn the company's loyal customers, who purchase its high-end cut glass products, to be wary of any suspicious messages they might receive from parties pretending to be the Paris-based Baccarat brand. The statement explicitly advised customers to exercise the utmost vigilance regarding any unusual communication purporting to come from the company. It further instructed that if a customer received an unusual request from the Maison, they should not hesitate to contact Baccarat directly by phone to verify its authenticity.

At the stage of the public disclosure, the company's internal assessment indicated there was no evidence that any customer personal or confidential data had been compromised. The email from the CEO did not specify the nature of the cyberattack, such as whether it was a ransomware incident, a data breach, or another form of cyber intrusion. The brand's focus was on preemptively warning its clientele of potential secondary attacks, such as phishing emails or business email compromise attempts that might leverage the ongoing situation.

Concurrently, the Baccarat Hotel in New York City, an opulent property affiliated with the crystal brand, issued a separate statement. A spokesperson for the hotel explicitly confirmed that the cyberattack impacting the crystal company was not affecting the glitzy Manhattan hotel's operations. This clarification distinguished the two entities, confirming that the incident was contained to the crystal-making side of the business. The hotel, known for its luxury accommodations starting at $899 per night and suites costing thousands, continued its normal operations without any announced constraints due to the cyber incident.

The attack targeted Baccarat, the 257-year-old French crystal-maker, which is a preeminent factory and brand in its sector. Maggie Henriquez had been appointed to lead this historic company in 2021. The incident impacted the company's operational capabilities, though the exact scope of affected systems, servers, or internal networks was not publicly detailed. The announcement confirmed that the attack was significant enough to constrain a portion of the company's business activity, indicating a tangible impact on its ability to conduct normal operations, which could include manufacturing, order fulfillment, or internal communications.

The company's immediate response action was to proactively communicate with its customer base to mitigate potential downstream risks. This customer-facing response was a preventative measure aimed at securing the company's clients from further exploitation by the threat actors behind the initial attack. The directive for customers to verify any unusual requests via a phone call suggests the company was concerned about the potential for impersonation and social engineering attacks leveraging its compromised brand identity. The company did not publicly announce any specific containment or eradication actions taken by its internal IT or security teams, nor did it disclose if external cybersecurity firms or law enforcement agencies were engaged to assist with the incident.

The impacts of the incident were primarily operational for the Baccarat crystal company. A direct financial impact from the constrained business activity was implied but not quantified. There was no initial evidence of a data breach involving customer information, which potentially limited the liability and reputational damage associated with the exposure of personal data. The secondary impact was the potential for brand impersonation and targeted phishing campaigns against its high-value clientele, which the company sought to preempt through its direct communication. The Baccarat Hotel in New York, by contrast, reported no operational, financial, or customer-related impacts from the event, as it was not involved in the security incident. The crystal brand's long-standing reputation for quality and exclusivity faced a potential challenge from the cyberattack, though the proactive and transparent communication from its CEO was likely intended to preserve customer trust and brand integrity during the disruption.