Baillie Lumber Data Breach: 52 GB of Sensitive Data Stolen

On Feb. 11, 2025, Baillie Lumber Co. discovered suspicious activity within its network. An investigation revealed that an unauthorized actor had accessed certain files between Feb. 6 and Feb. 12, 2025, and may have copied them.

This breach was later attributed to the Cactus ransomware group, which claimed responsibility and posted about the attack on its dark web portal on March 12, 2025. The group asserted it had obtained 52 GB of data, including personal identifiable information, corporate confidential documents, financial data, payroll, legal documents, HR department files, employee and executive personal documents, and corporate correspondence.

After a detailed review, Baillie finalized its assessment on July 1, 2025, confirming that information related to certain individuals was affected. According to regulatory filings, the exposed data included names and Social Security numbers (PII), as well as driver’s license numbers, medical information, and health insurance information (PHI).

The breach impacted at least 595 individuals in Texas, four in Maine, and 42 in New Hampshire.

The incident was reported to the Maine Attorney General on July 31, 2025, to the Texas Attorney General on Aug. 1, 2025, and on July 31st to the New Hampshire Attorney General and Massachusetts Attorney General.

Notifications to affected individuals were sent via U.S. Mail on July 31, 2025.

Baillie Lumber's response

For those whose personal information was potentially affected, Baillie is offering 24 months of complimentary credit monitoring and identity theft protection services through Epiq. Impacted individuals are encouraged to enroll in these services, which include credit monitoring, dark web surveillance, identity restoration support, and up to $1 million in identity theft insurance.

Instructions and activation codes were included in the notification letters.

Baillie also provided guidance on how to protect against identity theft and fraud, such as monitoring account statements, reviewing free credit reports, placing fraud alerts or credit freezes, and contacting the Federal Trade Commission or local law enforcement to report suspected identity theft. The company has notified state regulators and the three major credit bureaus about the breach.

Given the ransomware nature of the attack and the types of information exposed, individuals who received a notice should take the following steps:

• Enroll in the provided credit monitoring service as soon as possible
• Monitor financial accounts and credit reports for suspicious activity
• Consider placing a fraud alert or credit freeze with the credit bureaus
• Report any signs of identity theft to the appropriate authorities