Cyber Incident Victim: Crown Equipment
Date:
Jun 2024
Location:
United States of America
Summary
A global forklift manufacturer suffered a cyberattack by an international criminal organization, disrupting manufacturing operations and necessitating IT system shutdowns. The breach originated from an employee violating security protocols, enabling unauthorized device access via social engineering. Impacts included halted production, inability to track work hours or access service manuals, and delayed machinery deliveries. Initially requiring staff to use paid leave, the company later provided regular pay advances while restoring systems with external cybersecurity experts and FBI assistance. Security measures reportedly limited data exposure, with no evidence of employee personal information targeting or identity theft compromises. Operations are gradually resuming as the investigation continues.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The cyber incident impacting Crown Equipment began around June 8, 2024, when employees reported widespread IT system shutdowns across the company’s global operations. Workers were instructed to reject multi-factor authentication requests and remain vigilant against phishing attempts, indicating immediate containment measures. Manufacturing operations at Crown’s 24 plants in 14 countries faced disruptions, with employees unable to clock work hours electronically, access critical service manuals, or fulfill machinery deliveries in certain cases. Initial internal communications directed staff to use accrued paid time off or file for unemployment to cover compensation gaps during the outage, though this policy was later revised to provide regular pay as an advance with options to compensate lost hours. Employees expressed frustration over inconsistent communication from management during the first week of the disruption, with no formal acknowledgment of the attack until June 19.
On June 19, Crown confirmed via an internal email that an “international cybercriminal organization” had breached its systems, forcing a proactive shutdown of operating systems to investigate and mitigate the attack. The company attributed the breach to an employee’s failure to comply with data security policies, which allowed threat actors to install remote access software—a method consistent with social engineering tactics reported by external analysts. Crown stated its existing security protocols limited the volume of data accessed by attackers and found no evidence that employee personal information or identity theft materials were compromised. The organization engaged third-party cybersecurity experts and collaborated with the FBI to analyze the breach’s scope while gradually restoring affected systems. Manufacturing remained partially disrupted during recovery, with Crown prioritizing customer communications to minimize operational fallout. The company declined to confirm whether ransomware was involved despite external speculation linking the “international” threat actor designation to ransomware groups, maintaining that no further details beyond its public statements would be released.