Cyber Incident Victim: Bassett Furniture Industries

Bassett Furniture Industries, Incorporated, a Virginia-based commercial entity, experienced a data breach involving unauthorized access to its e-commerce systems. The breach occurred over an extended period, from July 29, 2021, to April 27, 2023, though the company did not discover the incident until August 23, 2023. Attackers compromised the website by inserting malicious code designed to capture sensitive customer information during online transactions. The acquired data included names combined with financial account details such as credit or debit card numbers, along with associated security codes, access codes, passwords, or PINs. This exposure impacted 7,614 individuals nationwide, including 13 residents of Maine. The prolonged duration of undetected access allowed the malicious code to operate for nearly two years before discovery, significantly expanding the potential window for data exploitation.

Bassett Furniture initiated written notifications to affected consumers on September 22, 2023, approximately one month after discovering the breach. The company offered impacted individuals twelve months of complimentary credit monitoring and identity restoration services through IDX, a third-party provider specializing in data breach response. No prior breach notifications had been issued by the entity within the preceding twelve months. The incident was reported to the Maine Attorney General’s office by J. Michael Daniel, Senior Vice President and Chief Financial and Administrative Officer of Bassett Furniture, confirming organizational awareness of the event’s scope and regulatory obligations. The breach notification did not disclose technical details regarding containment measures or forensic investigations beyond confirming the compromise stemmed from website code manipulation.