March 07, 2025
Cyberattack Debilitates Crystal D's Operations: Communication Down, Orders Rescheduled
The Minnesota-headquartered supplier of crystal awards and gifts had lost communication with customers, but was working to become operational again, though shipments were being delayed.
Key Takeaways
• Hacked: Crystal D’s (asi/47759) operations were disrupted by a cyberattack, affecting communication and order schedules.
• Good News So Far: The supplier said there’s no evidence yet that hackers have accessed sensitive customer information.
• Doing Their Best: Efforts are ongoing to resolve the issue. Crystal D is asking for patience.
Hackers have hit another promotional products firm, with a reported cyberattack temporarily crippling Crystal D’s (asi/47759) operations.
The St. Paul, MN-headquartered supplier of crystal awards and gifts said March 7 that a cyber assault has rendered the firm incapable of accessing phones and email accounts. Communication between Crystal D and its customers was down beginning around 7 a.m. Central Time on March 7 and remained down into at least the afternoon. The firm said Monday, March 10 that it hoped to have an update at some point that day.
“The company is working diligently to find and understand the point of entry and is mitigating any further issues,” said Bridget Dahlgren, Crystal D’s executive vice president of marketing and sales.
As of this writing, Crystal D had found no evidence that the digital criminals had accessed sensitive customer information.
Orders scheduled to ship March 7 were being rescheduled. Exact dates were not immediately known, but would be determined. Crystal D said it will continue to update customers.
“Those with questions are asked to be patient until we know more information,” Dahlgren said. “A second update will be sent as soon as possible.”
$4.88 Million
The average cost of a data breach in 2024, making it the highest average on record. (IBM)
CNBC reported this week that experts believe it has “never been easier to be a cybercriminal, thanks to advancements in scam technology and an expanding cybercrime economy.”
For sure, cybersecurity in the promotional product industry has been top of mind for merch executives. At the 2024 ASI Power Summit, industry leaders acknowledged in a panel discussion that it has become a huge concern and that large portions of their information technology budgets go toward protecting their businesses against such attacks.
The panelists shared that, through proper employee training and consistent evolution of systems to account for potential vulnerabilities, businesses can greatly increase their chances of fending off an attack. It’s possible for small and midsized companies, too.
Still, nothing is foolproof, and promo firms large and small have sustained attacks. Counselor Top 40 distributor Staples Promotional Products (asi/120601) suffered an apparent hacking in December 2023.
A 2019 hacking at Counselor Top 40 firm alphabroder (asi/34063) led to a ransom payment. Counselor Top 40 supplier Hit Promotional Products (asi/61125) contended with what was described as a cybersecurity incident in March of 2023.
Meanwhile, MV Sport/The Game (asi/68318) sustained an attack in September/October 2022. Aakron Line (asi/30270) dealt with a malware issue. HanesBrands (asi/59528) was compromised. Essent Corporation, a promo-focused business management platform, fell prey to an encryption attack in late 2022. Hackers infiltrated a Cisco merch store in September. The list, sadly, could go on.
Protect Your Business
The National Institute of Standards and Technology offers the following advice to help businesses protect themselves from a ransomware attack.
- Use antivirus software at all times – and make sure it’s set up to automatically scan emails and removable media (e.g., flash drives) for ransomware and other malware.
- Keep all computers fully patched.
- Use security products or services that block access to known ransomware sites on the internet.
- Configure operating systems or use third-party software to allow only authorized applications to run on computers.
- Restrict or prohibit use of personally owned devices on the organization’s networks and for telework/remote access without taking extra steps to assure security.
- Employees should use standard user accounts instead of accounts with administrative privileges whenever possible.
- Employees should avoid using personal applications and websites, such as email, chat and social media, from work computers.
- Workers should avoid opening files, clicking on links, etc. from unknown sources without first checking for suspicious content. For example, an individual can run an antivirus scan on a file or look at a link to see if it really goes to the site it claims to be going to.
- It’s critical that companies train employees how to spot the latest phishing attempts and related attacks.