Cyber Incident Victim: Lawson Products
Date:
Feb 2022
Location:
United States of America
Summary
Lawson Products experienced a cybersecurity incident where an unauthorized party accessed its network, compromising sensitive consumer information including names, addresses, government-issued identification numbers, financial account details, and medical data. The company detected the intrusion, secured its systems, and initiated an investigation confirming unauthorized data exposure. Notification letters were subsequently issued to affected individuals. The breach occurred amid corporate changes, though the company did not publicly attribute the incident to specific attack methods or confirm any connection to its recent merger with Distribution Solutions Group.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Lawson Products, Inc. detected unauthorized access to its computer network on February 8, 2022, prompting immediate containment measures including network security reinforcement and engagement of a cybersecurity firm to investigate the incident. The forensic investigation concluded on February 16, 2022, confirming that an unauthorized third party had accessed confidential consumer data stored on corporate systems. The compromised information included names, physical addresses, Social Security numbers, driver's license numbers, state identification numbers, passport numbers, financial account details (encompassing bank account, credit card, and debit card numbers), and medical information. The company conducted a comprehensive file review to identify affected individuals and specific data elements exposed, though the scope varied per victim. On July 14, 2022—157 days after discovery—Lawson Products issued formal breach notifications to impacted consumers via mailed letters and filed regulatory disclosures.
The breach exposed highly sensitive personal identification and financial data, creating substantial risks of identity theft and financial fraud for affected individuals. As a distributor of industrial hardware serving small businesses and retail customers, Lawson maintained extensive consumer records containing the compromised data categories. The incident occurred during operational integration following Lawson's April 2022 merger into Distribution Solutions Group (NASDAQ: DSGR), a parent entity managing multiple subsidiaries. While Lawson did not disclose the intrusion method or whether ransomware was involved, the FBI had previously warned that threat actors frequently target companies undergoing mergers and acquisitions to exploit transitional vulnerabilities and pressure victims with disclosure threats during sensitive financial periods. The company's public breach notification omitted technical details regarding attack vectors, containment timelines beyond initial network security measures, or whether data exfiltration occurred. No operational disruptions or system downtime were reported in the disclosure.