HanesBrands Inc. has received at least $20.5 million in insurance compensation in 2023 for the 2022 ransomware attack that cost the manufacturer about $100 million in global sales.
The Winston-Salem basic apparel manufacturer disclosed the insurance payments in its third-quarter regulatory filing that represents compensation for lost profits.
HanesBrands disclosed in a May 31, 2022, regulatory filing that it began experiencing the ransomware attack on May 24, 2022.
Ransomware is a type of malicious software employed by hackers that can block access to a computer system until a ransom is paid. In recent years, the targets have shifted from individuals to governments, companies, nonprofits and health care systems.
HanesBrands said the ransomware attack affected its global supply chain network and ability to fulfill customer orders for about three weeks. The attack resulted in a $35 million reduction in adjusted operating profit for the second quarter of fiscal 2022, while lowering adjusted earnings per share by 8 cents.
People are also reading…
HanesBrands said in the quarterly regulatory filing that it recognized a benefit related to business interruption insurance proceeds of $17.8 million, of which $15 million was received in the quarter.
For fiscal 2023 to date, it has recognized a benefit of $24.1 million, of which $20.6 million has been received.
The company also recognized a benefit of $708,000 for the reimbursement of costs related primarily to legal fees.
HanesBrands provided in the filing an update on a ransomware-related federal lawsuit filed in October 2022 on behalf of current and former employees.
The N.C. lawsuit, filed in federal Middle District Court on Oct. 13, has Nicole Toussaint as the plaintiff. A similar California lawsuit has been consolidated into the Toussaint complaint.
HanesBrands is pursuing dismissal of the complaint, claiming the plaintiffs lack standing and have failed to state a claim. “The company is vigorously defending the pending matter and believes the case is without merit,” according to the filing.
The main complaint allegation is that the ransomware attack contributed to a data breach of “certain highly sensitive personal and protected health information” that included name, address, date of birth, financial account information and government-issued identification numbers, and other health and employment accounts.
Toussaint said she wasn’t notified of the data breach until Aug. 16, 2022. Toussaint lives in Maine and was employed as an assistant manager from 2012 through 2018.
The suits ask for compensatory, punitive and other damages, as well as injunctive relief that requires HanesBrands “to strengthen its data security systems and monitoring procedures, submit to future annual audits of those systems, and immediately provide adequate credit monitoring” for up to 10 years.
HanesBrands agreed to provide up to two years’ worth of credit monitoring.
In the response, HanesBrands said it “took extraordinary and immediate action to re-secure the implicated data set.” That included disclosing that it reached a payment agreement of an undisclosed amount to the ransomware attacker.
In exchange, the attacker agreed to not disseminate the information and to delete the information from its systems with confirmation provided. Hanesbrands said it was provided evidence on June 3, 2022, that those actions had occurred.
HanesBrands has not said whether the attack affected only internal operations, or whether the information held hostage affected employees and customers.