New Horizons Baking Company, a subsidiary of NHB Holdings, LLC, suffered a **data breach** between **January 6–10, 2025**, where an unauthorized actor (the **Cactus ransomware group**) accessed and exfiltrated **455 GB of data**, including **personal and corporate files**. The breach exposed **sensitive personally identifiable information (PII)** of **9,476 individuals**, primarily **names and Social Security numbers (SSNs)**, heightening risks of **identity theft and fraud**. The ransomware group publicly claimed responsibility on the dark web in **February 2025**, while New Horizons completed its investigation by **July 11, 2025**, notifying affected individuals on **August 28, 2025**. The company offered **12 months of free credit monitoring** via TransUnion, but the exposure of SSNs—critical for financial and governmental authentication—poses long-term threats to victims. Legal firms are pursuing **class-action lawsuits** for compensation, citing negligence in safeguarding consumer data.
Source: https://www.claimdepot.com/investigations/new-horizons-data-breach-2025
TPRM report: https://www.rankiteo.com/company/newhorizonsbakingcompany
"id": "new910090225",
"linkid": "newhorizonsbakingcompany",
"type": "Ransomware",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '9,476 individuals (including at '
'least 1 Maine resident)',
'industry': 'Food Production and Logistics',
'location': ['Norwalk, Ohio (HQ)',
'Additional Facilities in Ohio and '
'Indiana'],
'name': 'NHB Holdings, LLC (New Horizons Baking '
'Company, Genesis Baking Company, Metraco '
'Transportation Company, New Horizons Food '
'Solutions)',
'type': 'Privately Held Holding Company'}],
'customer_advisories': 'Credit monitoring services offered; guidance on '
'identity theft protection provided',
'data_breach': {'data_exfiltration': 'Yes (455 GB of data allegedly '
'exfiltrated)',
'number_of_records_exposed': '9,476 individuals',
'personally_identifiable_information': ['Names',
'Social Security '
'Numbers'],
'sensitivity_of_data': 'High (SSNs and potentially '
'proprietary corporate files)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Corporate Data']},
'date_detected': '2025-01-11',
'date_publicly_disclosed': '2025-02-20',
'date_resolved': '2025-07-11',
'description': 'Unauthorized actor accessed and acquired files between '
'January 6 and January 10, 2025, compromising personal '
'information of 9,476 individuals in the U.S., including names '
'and Social Security numbers. The ransomware group Cactus '
'claimed responsibility, alleging to have obtained 455 GB of '
'data, including personal and corporate files. The breach was '
'publicly disclosed, and affected individuals were offered '
'complimentary credit monitoring services.',
'impact': {'brand_reputation_impact': 'Potential Damage (Data Breach and '
'Ransomware Publicity)',
'data_compromised': ['Names',
'Social Security Numbers',
'Corporate Files'],
'identity_theft_risk': 'High (SSNs Compromised)',
'legal_liabilities': 'Potential Lawsuits (Class Action '
'Investigation by Shamis & Gentile P.A.)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Alleged by Cactus (455 GB '
'of data)'},
'investigation_status': 'Completed (as of July 11, 2025)',
'motivation': 'Financial Gain (Data Theft and Ransom)',
'ransomware': {'data_exfiltration': 'Yes (455 GB claimed)',
'ransomware_strain': 'Cactus'},
'recommendations': ['Enroll in free credit monitoring provided by New '
'Horizons',
'Place fraud alerts or security freezes on credit files',
'Regularly review credit reports for suspicious activity',
'Report identity theft signs to law enforcement and state '
'attorney general'],
'references': [{'source': 'Shamis & Gentile P.A. Investigation Notice'},
{'source': 'New Horizons Public Disclosure (August 28, 2025 '
'Notice)'},
{'source': 'Cactus Ransomware Group Dark Web Post (February '
'20, 2025)'}],
'regulatory_compliance': {'legal_actions': 'Potential Class Action Lawsuit '
'(Investigation by Shamis & '
'Gentile P.A.)'},
'response': {'communication_strategy': 'Written notices sent to affected '
'individuals on August 28, 2025',
'incident_response_plan_activated': 'Yes (Investigation '
'Completed by July 11, 2025)',
'remediation_measures': 'Complimentary 12-month credit '
'monitoring via TransUnion for affected '
'individuals'},
'stakeholder_advisories': 'Written notices sent to affected individuals '
'(August 28, 2025)',
'threat_actor': 'Cactus (Ransomware Group)',
'title': 'New Horizons Data Breach and Ransomware Attack (2025)',
'type': ['Data Breach', 'Ransomware Attack']}