Lovesac Admits Data Breach Compromising Sensitive Personal Data

Lovesac, a well-known American furniture brand, revealed that a data security breach it encountered earlier this year exposed the sensitive personal details of many of its clients.

 

Lovesac, based in Stamford, Connecticut, specialises in modular, reconfigurable furniture, most notably the “Sactional” (a customisable sectional sofa) and the “Sac” (a modern bean bag chair). Both are known for their durable, washable covers and adaptable designs that evolve with customers’ changing needs and spaces.

 

In a data security incident notice filed with the Office of Vermont Attorney General, Lovesac said that on February 28, it identified suspicious activity within its internal network. The furniture brand immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

The investigation revealed that “between February 12, 2025 and March 3, 2025, an unauthorised actor accessed certain systems within the environment and copied certain files from those systems.” 

 

The compromised data included names and other personal details, but the sample notice shared with the Attorney General’s office did not specify further. The company has yet to confirm if customers, employees, or contractors were affected, and it has not disclosed how many people were impacted.

 

“As part of our ongoing commitment to the privacy of personal information in our care, we are reviewing our policies, procedures, and processes related to the storage and access of personal information to reduce the likelihood of a similar future event. We will also notify applicable regulatory authorities, as required by law,” Lovesac said.

 

While the company found no evidence of the compromised information being misused, it has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and state attorney general. 

 

It has also offered two years of complimentary identity protection and credit monitoring services through Experian to all affected individuals.

 

 

 

The RansomHub ransomware group claimed responsibility for the cyber attack on Lovesac and listed it as a victim on its data leak site. The group claimed to be in possession of  40 GB of confidential data stolen from the furniture company and gave a deadline of 5 days to fulfil its ransom demand. 

 

It is unclear whether Lovesac engaged with the hacker group or paid a ransom.