Cornwell Quality Tools this week confirmed it notified 103,782 people of a December 2024 data breach that compromised Social Security numbers, medical info, and financial account numbers.
Ransomware group Cactus took credit for the attack in February 2025 and said it stole 4.6 TB of data. To prove its claim, Cactus posted sample images of what it says are documents stolen from Cornwell. They include driver’s license scans, tax documents, and credit applications.
Cornwell has not verified Cactus’ claim. We do not know if Cornwell paid a ransom, how much Cactus demanded, or how attackers breached Cornwell’s network. Comparitech contacted Cornwell for comment and will update this article if it replies.
“On December 20, 2024, Cornwell became aware of unusual activity within its computer network and immediately took steps to secure its systems, engaging cybersecurity experts in the process,” says Cornwell’s notice to victims. “According to its investigation, an unknown actor gained access to Cornwell’s network and potentially acquired certain files on or around December 12, 2024.”
The payment portal for Cornwell’s Tech-Credit financing program is unavailable at time of writing.
Cornwell is offering eligible victims 12 months of free credit monitoring and $1 million in identity fraud insurance through IDX. The deadline to enroll is December 4, 2025.
This isn’t Cornwell’s first ransomware attack. In August 2023, the company notified 11,884 people of a September 2022 data breach that exposed names, Social Security numbers, and driver’s license numbers. Another ransomware group, Hive, took credit for that attack.
Who is Cactus?
Cactus is a ransomware gang that began claiming responsibility for cyber attacks in April 2023. Its double-extortion scheme both steals data and locks down target systems. Cactus operates a ransomware-as-a-service business in which customers pay to use Cactus malware and infrastructure to launch attacks and collect ransoms.
Cactus has claimed responsibility for 56 confirmed ransomware attacks in total, plus 237 unconfirmed attack claims that haven’t been publicly acknowledged by the targeted organizations.
The group frequently targets manufacturers like Cornwell. Five of Cactus’ 11 confirmed attacks in 2025 hit manufacturing companies. They include Tempel Steel Company (IL), KYB Americas (IN), Assa Abloy (Stockholm), Baillie Lumber (NY), and RevitaLash Cosmetics (CA). Cactus further struck three food and beverage makers: Amalgamated Sugar (ID), Alpha Baking (IL), and New Horizons Baking (OH).
Ransomware attacks on US manufacturers
Comparitech researchers logged 86 confirmed ransomware attacks on US manufacturers in 2024, plus 11 more attacks on specific manufacturing industries like food and healthcare. Across all these attacks, hackers breached 404,000 records.
The attack on Cornwell was the largest ransomware breach in 2024 by number of records affected, followed by an attack on Avery Products in July when unknown attackers compromised 67,000 records.
In 2025 to date, we’ve logged 45 confirmed attacks on manufacturers, compromising about 106,000 records. In one recent such attack, furniture maker LoveSac began issuing data breach notices following a February cyber attack claimed by RansomHub.
Our August ransomware roundup found that attack on manufacturers significantly increased over the last two months.
About Cornwell Quality Tools
Cornwell is a mobile tool manufacturer with two factories in Van Wert and Mogadore, OH, and dealers scattered throughout the USA. The company offers financing, called Tech Credit, for businesses to pay for tools over time.
