Bassett Furniture Industries Hit By Major Data Breach, Customer Data Exposed
Company
Bassett Furniture
Why
Data breach
Total Settlement Amount
$387,500
Maximum Individual Claimant Award
$10,000
Claim Deadline
February 28, 2025
Bassett Furniture Industries Inc, a well-known name in the furniture industry with multiple Bassett furniture locations across the country, faces a major cybersecurity crisis as unauthorized actors compromised sensitive customer data spanning nearly two years. The data breach, affecting approximately 7,614 individuals, exposed customers' names, addresses, and financial account information between July 2021 and September 2023.
As a result of this security incident, the Bassett Furniture Company agreed to a significant settlement, offering affected customers up to $2,000 for documented ordinary losses and up to $10,000 for extraordinary damages. Furthermore, the breach severely impacted the company's operations, leading to system shutdowns and contributing to a 17% revenue decline, with quarterly earnings dropping to $83.4 million. We have learned that the company has now reached a $387,500 settlement agreement to resolve claims of negligent cybersecurity practices that allowed this extensive breach to occur.
Threat Actors Target Bassett Furniture's IT Infrastructure
Bassett Furniture Industries detected unauthorized access to its information technology systems, leading to significant operational disruptions. The threat actors encrypted crucial data files, prompting immediate containment measures including system shutdowns across multiple facilities.
Subsequently, the company activated its incident response plan and launched an investigation with external cybersecurity specialists. The cyberattack severely impacted Bassett's manufacturing capabilities, temporarily halting production at domestic plants. Additionally, the incident affected order fulfillment processes for both retail networks and wholesale shipments.
The investigation revealed that between July 29, 2021, and April 27, 2023, malicious actors had gained unauthorized access to the Bassett furniture website. During this period, the attackers implemented code capable of capturing customer information during online order placement. The compromised private information potentially included names, billing addresses, payment card numbers, CVV codes, and card expiration dates. Customers who used their Bassett credit card for purchases during this time were particularly at risk.
Upon discovering the suspicious activity, Bassett promptly engaged third-party cybersecurity experts to determine the full scope of the breach. Though the company initially believed no consumer data was compromised, further investigation prompted them to review all customer records from the affected period.
The impact of the cyber incident extended beyond data security concerns. While Bassett's retail stores and e-commerce platform remained operational, their ability to fulfill customer orders was significantly hampered. The company implemented various workarounds to maintain business continuity.
By mid-July 2024, Bassett had successfully restored the affected IT systems and data. Nevertheless, minor operational impacts persisted as the company worked through recovery efforts. Notably, the investigation found no evidence of compromise to Bassett's core operating systems for manufacturing, wholesale and retail order processing, or financial reporting. The incident's severity prompted mandatory disclosure under new SEC regulations requiring publicly traded companies to report cyberattacks that may materially affect investors.
Legal Battle Leads to $387,500 Settlement Agreement
Following months of investigation into the data breach, Bassett Furniture Industries Inc reached a significant settlement agreement totaling $387,500 to resolve claims of negligent cybersecurity practices. The class action lawsuit, filed as Myers v. Bassett Furniture Industries Inc. in the U.S. District Court for the Western District of Virginia, alleged that the company failed to implement adequate security measures.
The settlement covers approximately 7,614 individuals who received notification letters about their compromised information. Under the agreement terms, affected customers can claim reimbursement through multiple channels. For documented ordinary losses, individuals may receive up to $2,000, which covers unreimbursed fraud, identity theft expenses, professional fees, and credit-related costs.
Moreover, customers can claim reimbursement for time spent addressing breach-related issues. The settlement provides $30 per hour for up to 10 hours of documented time, offering lost time compensation. For those facing more severe consequences, the agreement allows claims up to $10,000 for extraordinary losses, specifically covering unreimbursed identity theft expenses and fraudulent charges.
The settlement also offers an alternative compensation option. Non-California residents can choose a $250 pro-rated cash payout, whereas California residents qualify for $400. However, selecting this option makes customers ineligible for other benefits outlined in the settlement.
In addition to monetary compensation, all affected individuals receive two years of complimentary IDX Credit Monitoring Services. The court granted preliminary approval for the settlement on October 31, 2024. Although Bassett Furniture maintains its stance of no wrongdoing, the company chose to settle to avoid prolonged litigation. The settlement benefits will be distributed to eligible class members only after the court grants final approval and the agreement becomes final.
Customers Must File Claims Before February Deadline
Affected customers of the Bassett Furniture data breach must act promptly to claim reimbursement before the February 28, 2025 deadline. Individuals who received notification letters about their compromised information qualify for multiple compensation options under the settlement terms.
For documented ordinary losses, claimants can receive up to $2,000 in reimbursement. This covers various expenses, primarily bank fees, credit reporting costs, credit freezing charges, professional service fees, postage, and mileage related to addressing the breach impact.
Regarding time compensation, affected individuals can claim up to 10 hours at $30 per hour for time spent addressing breach-related issues. The settlement offers flexibility in documentation requirements - customers can claim up to 4 hours without supporting evidence, yet must provide proof for additional hours.
For cases involving identity theft or substantial financial impact, extraordinary loss claims of up to $10,000 are available. These claims must meet specific criteria:
Losses must be actual, documented, and unreimbursed
Damages must be directly linked to the data breach
Incidents must have occurred between July 29, 2021, and the claims deadline
Claimants must demonstrate reasonable efforts to prevent losses
The settlement automatically provides all eligible claimants with 24 months of complimentary IDX Credit Monitoring Services, regardless of other claim submissions. Alternatively, non-California residents can opt for a $250 pro-rated cash payment, while California residents qualify for $400.
To submit a claim, customers must:
Complete the claim form through BassettDataBreach.com or via mail
Include supporting documentation like bank statements, credit card records, or receipts
Provide the Notice ID number from their notification letter
The claims administrator emphasizes that final payout amounts may fluctuate based on the total number of valid claims submitted. Upon court approval, benefits will be distributed to eligible settlement class members who have filed within the deadline.