Cyber Incident Victim: Arnoff Moving and Storage
Date:
Jun 2021
Location:
United States of America
Summary
A cybersecurity incident involving Arnoff Moving & Storage resulted in unauthorized access to customer data, which was claimed by the REvil (Sodinokibi) threat actor group. The attackers asserted they exfiltrated sensitive information from the corporate network, including personal details, billing and shipping addresses, and credit card data, threatening to sell it after the company's vice president allegedly dismissed their ransom demands. REvil provided proof through images of credit card authorizations and criticized the firm's non-compliance with PCI DSS standards. While the group is known for ransomware attacks, it remains unclear whether this incident involved file encryption or solely data theft with extortion demands. The breach potentially impacted customers across multiple regional branches, though the exact scope and number of affected individuals were not disclosed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Arnoff Moving & Storage disclosed a data breach on or around June 9, 2021, following unauthorized access to customer information by hackers. The Poughkeepsie-based company, which operates across multiple states including New York, Connecticut, Massachusetts, and Florida, could not confirm the number of affected customers, the timeframe of the compromised data, or whether the breach was confined to its Mid Hudson Valley regional branches. Threat actors affiliated with the REvil (Sodinokibi) ransomware group publicly claimed responsibility for the incident via their dedicated leak site, asserting they had exfiltrated sensitive data from the corporate network. REvil representatives stated they contacted the company’s vice president with a ransom demand but received a dismissive response, prompting them to threaten the sale of stolen data on underground carding shops. As proof of their claim, they published images of credit card authorization documents and alleged possession of additional customer records, including billing and shipping addresses and payment card details.
The attackers explicitly criticized Arnoff’s lack of adherence to Payment Card Industry Data Security Standards (PCI DSS), suggesting compromised financial data. While REvil historically deployed ransomware in conjunction with data theft, the public reporting did not confirm whether file encryption or system lockdowns occurred in this case. The breach exposed customers to potential fraud and identity theft risks due to the exfiltration of personally identifiable and financial information. Arnoff did not disclose technical details regarding intrusion methods, detection timelines, containment measures, or forensic investigations in the available reports. REvil’s announcement emphasized their intent to monetize the stolen data, escalating reputational and operational consequences for the company. The incident highlighted gaps in Arnoff’s data protection practices while leaving critical questions about the full scope and remediation efforts unanswered in public disclosures.