NHB Holdings Data Breach Affects 9,476 Individuals

On Jan. 11, 2025, NHB Holdings, LLC and its subsidiaries, New Horizons Baking Company, LLC, Genesis Baking Company, LLC, Metraco Transportation Company, LLC, and New Horizons Food Solutions, LLC (“New Horizons”), discovered suspicious activity in their computer environment. An investigation revealed that an unauthorized actor had accessed and acquired certain files between Jan. 6 and Jan. 10, 2025.

The investigation was completed on July 11, 2025, confirming that the exposed information included names and Social Security numbers, which are classified as personally identifiable information (PII).

The breach affected a total of 9,476 individuals across the United States, including one Maine resident and 60 Massachusetts residents. The incident was reported to state authorities, with disclosures filed with the Maine Attorney General and the Massachusetts Attorney General on Aug. 28, 2025.

The breach’s severity is underscored by the involvement of the Cactus ransomware group, which claimed responsibility for the attack. On Feb. 20, 2025, Cactus posted on the dark web that it had obtained 455 GB of company data, including PII, database backups, confidential corporate documents, contracts, HR and payroll data, financial records, and personal folders of employees and executives. The group’s disclosure indicates the attack was a ransomware incident, targeting a broad range of sensitive information and potentially impacting both current and former employees.

New Horizons's response

Upon discovery of the breach, New Horizons launched an internal investigation and worked with cybersecurity professionals to determine the scope and impact of the incident. The company secured its systems, reviewed the compromised files, and notified federal law enforcement. New Horizons also began implementing additional security safeguards and employee training to reduce the risk of future incidents.

All affected individuals are being offered complimentary credit monitoring and identity protection services through Cyberscout, a TransUnion company. Impacted individuals in Maine are eligible for twelve months of credit monitoring, while those in Massachusetts are being offered twenty-four months. Written notification letters were sent to all affected parties beginning Aug. 28, 2025.

New Horizons has provided detailed guidance to help individuals protect themselves from identity theft and fraud, including instructions on placing fraud alerts or credit freezes with the major credit bureaus, monitoring credit reports, and contacting law enforcement or their state attorney general if they suspect misuse of their information. Given the nature of the breach and the involvement of ransomware actors, affected individuals are strongly encouraged to take advantage of the credit monitoring services and remain vigilant for any signs of identity theft or suspicious activity on their financial accounts.