Snap-on allegedly hacked by Conti ransomware group, results in class-action lawsuit and settlement

(image source: Snap-on, n.d.)

One-sentence summary:

Snap-on was allegedly hacked in 2022 by Conti, and almost 1GB of sensitive data was breached.

Who was involved?

Snap-on, Inc. and the Conti ransomware group.

What was the timeline?

March 1, 2022: Breach starts by Conti ransomware group

March 3, 2022: Breach ends by the Conti ransomware group

April 7, 2022: Snap-on notifies the California Attorney General of the breach (and, presumably, breach victims)

June 15, 2022: Class-action lawsuit is filed against Snap-on in a U.S. District Court, Wisconsin Eastern District (Unicourt, 2022).

March 14, 2023: Class-action lawsuit is settled.

What occurred?

Conti allegedly breached Snap-on in March 2022 and was able to exfiltrate almost 1GB of sensitive data before being detected by Snap-on (Abrams, 2022, paras. 9-14). Data breached primarily affected employees and a “franchisee,” and included: “names, Social Security, Numbers, dates of birth, and employee identification numbers” (Snap-on, 2022, p. 1). This resulted in a class-action lawsuit and settlement of up to $3,250 per claimant (Top Class Actions, 2023).

Estimated costs:

Associated incident response costs, “leading external forensics firm,” IDX 24-month identity services, class action settlement of up to $3,250 per claimant

Involved laws:

California: CCPA and Cal. Civ. Code § 1798.29(a)

Root cause:

N/A or TBA (see disclaimer)

Lessons learned:

N/A or TBA (see disclaimer)

Sources:

Abrams, L. (2022, April 8). Snap-on discloses data breach claimed by Conti ransomware gang. BleepingComputer. Retrieved March 15, 2023, from https://www.bleepingcomputer.com/news/security/snap-on-discloses-data-breach-claimed-by-conti-ransomware-gang/

Snap-on. (n.d.). png-clipart-snap-on-incorporated-snapon-tools-pvt-ltd-snap-on-diagnostics-others-miscellaneous-angle.png. PNG EGG. https://e7.pngegg.com/pngimages/1005/666/png-clipart-snap-on-incorporated-snapon-tools-pvt-ltd-snap-on-diagnostics-others-miscellaneous-angle.png

Snap-on. (2022). NOTIFICATION OF DATA BREACH. In Search Data Security Breaches. State of California Department of Justice Office of the Attorney General. Retrieved March 15, 2023, from https://oag.ca.gov/system/files/US%20Notice%20.pdf

Top Class Actions. (2023, March 14). Snap-on data breach class action settlement – Top Class Actions. Retrieved March 15, 2023, from https://topclassactions.com/lawsuit-settlements/open-lawsuit-settlements/snap-on-data-breach-class-action-settlement/

Unicourt. (2022, August 14). Carmack v. Snap-On Inc. UniCourt. Retrieved March 15, 2023, from https://unicourt.com/case/pc-db5-carmack-v-snap-on-inc-1221568?init_S=csup_ltst

Commentary:

Snap-on has not disclosed the number of employees affected (or I could not locate this information). If you have this information, please feel free to comment below or message me.

About Post Author

Kyler Kent CISSP

I am a Threat Hunting and Intelligence Specialist and am a progressive, aspiring cyber leader. I am currently based in Dallas, with a holistic and multidisciplinary background. I am a lifelong learner– constantly seeking education and training opportunities. I maintain several cybersecurity and IT certifications. I also maintain two Texas DPS private security licenses. Finally, I have a master’s degree from Georgetown University’s SCS Cybersecurity Risk Management program. https://linktr.ee/kentprotect.com Corrections: [email protected]

http://kylerkent.com