US wine producer Crimson Wine Group has reported a cybersecurity breach that “likely had a material impact” on its operations, it said.
Crimson Wine detected the breach on 30 June when it discovered a third-party had gained access to the company’s internal information systems, including sensitive consumer and corporate data.
Crimson Wine said hackers accessed its systems and exfiltrated data and files that “potentially” contained sensitive information.
“The company is still investigating the extent of any personal or otherwise sensitive information contained in the files acquired by the unauthorised third-party, including if any personal information of customers was impacted,” Crimson Wine said in a Securities and Exchange Commission filing yesterday (25 July).
The group said it would send notifications to any parties affected by the cybersecurity breach.
Crimson Wine’s operations were disrupted when it reacted to the breach, as it shut down certain systems and isolated its functions from the internet. Business application systems such as financial and operating reporting systems were also affected as the company looked to mitigate risk of further breaches.
The vintner said it has “adequate” cybersecurity insurance to offset the cost of the breach. However, it said there was still a risk of related losses not covered by insurance, such as “potential litigation, changes in customer behaviour [and] additional regulatory scrutiny”.
In Crimson Wine’s 2023 annual report, it laid out its cybersecurity risk management process which involves internal and external audits and assessments, as well as technical, procedural, physical and organisational measures.
Crimson Wine owns and manages around 870 acres of vineyards across five regions in California, Washington and Oregon. Its brands include Pine Ridge Vineyards and Archery Summit.
For the year ended 31 December 2023, Crimson Wine reported net sales of $72.4m, down from $74.2m year on year. Net income for the year was $3.2m, up from $1m in 2022.