Cyber Incident Victim: Arhaus

The Arhaus data breach originated from unauthorized access to employee email accounts between March 25, 2022, and May 24, 2022. The furniture retailer discovered that an intruder compromised multiple employee email accounts during this two-month period, though the company did not disclose the exact date it initially detected the intrusion. Upon identifying the incident, Arhaus engaged cybersecurity professionals to investigate the scope and determine whether sensitive employee data was exposed. The investigation concluded on June 24, 2022, confirming that attackers accessed personally identifiable information contained within the breached email accounts. Exposed data included employee names, driver’s license numbers, Social Security numbers, and financial account information, with the specific details varying per affected individual.

Arhaus initiated a review of all compromised files following the June 24 confirmation to identify impacted employees and categorize the exposed data types. The company completed this process and mailed formal data breach notifications to affected personnel on July 22, 2022. While the breach notification did not specify the total number of affected employees, it confirmed the compromise occurred exclusively through unauthorized email account access rather than infiltration of primary corporate databases or customer-facing systems. The company’s public statement indicated attackers likely obtained email credentials through phishing techniques, though no forensic evidence confirming the exact attack vector was disclosed. No customer data or operational systems were compromised, with the incident confined to employee information stored within the breached email accounts. Arhaus did not report disruptions to business operations, retail services, or financial systems as a result of the breach.