Arnoff Moving and Storage

Arnoff Moving and Storage is a United States-based company providing relocation and storage services to residential and commercial customers. Operating from its headquarters within the USA, the firm maintains a presence through multiple regional branches, serving clients across various geographic areas. Its core business involves the physical movement of goods and the secure storage of personal and business inventories, which necessitates the collection and management of substantial customer information. This includes personal identification details, billing and shipping addresses, and financial data such as credit card authorizations to facilitate transactions for its moving and storage contracts. The company's operations place it within the competitive consumer services sector, where handling sensitive client data is a fundamental aspect of service delivery. While its exact size, employee count, or annual revenue are not disclosed in available records, the mention of multiple branches indicates a operational footprint beyond a single location. The nature of its services requires compliance with standards for handling payment card information, a regulatory expectation that became a notable point of contention following a security incident.

In June 2021, Arnoff Moving and Storage was the subject of a significant cybersecurity incident attributed to the REvil (Sodinokibi) threat actor group. The attackers claimed to have gained unauthorized access to the company's corporate network and exfiltrated sensitive customer data. REvil provided evidence of their access by publishing images containing credit card authorizations and other personal information, subsequently threatening to sell the stolen data. The incident reportedly began after the company's vice president dismissed the attackers' ransom demands. A key detail from the breach disclosure is the allegation that Arnoff Moving and Storage was non-compliant with Payment Card Industry Data Security Standard (PCI DSS) requirements, a criticism levied by the threat actors themselves. It remains unclear from the available information whether the attack involved the encryption of company files by ransomware or was solely a data theft and extortion scheme. The potential impact spanned customers from its various branches, though the precise scope of the breach and the total number of individuals whose information was compromised were never officially quantified or released by the company. This event highlighted the data security risks inherent in businesses that process and store extensive personal and financial customer records.