Farmer Bros., the Texas-headquartered coffee and foodservice company, has confirmed a cyber incident that exposed personal data belonging to thousands of people. A data breach notice filed with the Maine Attorney General’s Office shows more than 14,000 individuals were affected, and the company says it is providing identity-protection services to impacted people.
Conflicting Timelines and Detection Details
The company’s public notice contains inconsistent timing details. Farmer Bros. said it detected suspicious activity and launched an investigation in late January 2024, and that attackers had “roamed” its network for nearly 12 days. Separately, the filing indicates threat actors gained access earlier, showing unauthorized activity between September 30, 2023, and October 18, 2023. The breach notice also states attackers accessed personal information, but the sections that specify which types of data were exposed are redacted.
Farmer Bros. says it notified authorities and assisted law enforcement during the investigation. The company engaged in incident response after detection and submitted the details of the breach to state regulators as required.
Scope of Compromised Information Largely Redacted
The company’s data breach notice confirms that attackers accessed personal information, but the notice leaves the specific categories blacked out in the document filed with the Maine Attorney General’s Office. The redactions prevent a clear, public accounting of the exact data elements exposed in the incident.
Despite the redactions, Farmer Bros. has moved to offer affected individuals complimentary identity theft and credit monitoring services, a common remediation step when personal identifiers such as names, account details, or government IDs are at risk.
Ransomware Claim and Stolen Data Volume
In early April this year, the Chaos ransomware gang posted a claim of responsibility for an attack on Farmer Bros. The group stated it had exfiltrated 650 GB of data. Farmer Bros. has not publicly tied the redacted entries in its regulatory filing to that claim, and the relationship between the Chaos gang’s statement and the company’s breach notice remains unclear based on the documents available.
The company stated it informed law enforcement and cooperated with investigators; the filing does not publicly attribute the incident to a specific threat actor.
Company Response and Customer Guidance
Farmer Bros. says it launched an internal investigation promptly after detecting the intrusion and engaged external responders to help determine the scope of the impact. The company encourages customers to monitor accounts and to take standard precautions against identity theft. The breach notice includes the company’s recommendation that affected individuals remain vigilant for fraud and to review account statements and credit reports for suspicious activity.
The company confirmed it will provide identity-protection resources to those identified as impacted. The notice does not list additional operational or technical remediation steps in the public filing.
Business Profile And Operational Footprint
Farmer Bros. primarily supplies coffee, tea and spices to businesses across the United States. The company reported more than $340 million in sales for its 2024 fiscal year. Farmer Bros. operates tens of locations, two major manufacturing centers in Texas and Oregon, and multiple distribution centers. In addition to beverage products, the company sells equipment, offers beverage planning services, and supplies culinary products and services to U.S. customers.
What Remains Unclear
Public filings and the company notice leave several questions unanswered: the exact data fields exposed, how long the redacted items were accessible, and whether the Chaos gang’s claim of 650 GB stolen directly corresponds to the data described in Farmer Bros.’ filing. The redactions in the regulatory notice limit the amount of detail available to affected customers and enterprise observers.
The company was contacted for comment regarding the redactions, the nature of the stolen data, and whether the Chaos claim is connected to the incident; no immediate public statement clarifying those points was provided in the filing.
