New Congoleum Data Breach Exposes 4,831 Names and SSNs, Triggers Lawsuit Probe

TL;DR: New Congoleum discovered unusual network activity on March 24, 2026, leading to a breach that exposed names and Social Security numbers of 4,831 individuals across the United States. A class‑action lawsuit investigation is now examining potential compensation for affected persons.

Context: New Congoleum, a subsidiary of Beaulieu International Group, manufactures resilient flooring under the Congoleum brand. The company detected anomalous traffic on its internal network and engaged third‑party cybersecurity experts to investigate.

Key Facts: The investigation confirmed that personal data of 4,831 U.S. residents was accessed, including six individuals in Maine and three in Vermont, with exposed fields limited to names and Social Security numbers. Written notices were mailed to victims on May 8, 2026. No financial or health information was reported as compromised.

What It Means: Exposure of names and SSNs increases risk of identity theft and fraudulent credit applications. Affected individuals may be eligible for monetary compensation through the ongoing class‑action probe, which could result in settlement funds or credit‑monitoring offerings.

Mitigations: Organizations should enforce multi‑factor authentication on all privileged accounts and monitor for anomalous login patterns using SIEM rules aligned with MITRE ATT&CK T1078 (Valid Accounts). Ensure timely patching of external‑facing services, implement network segmentation to limit lateral movement, and deploy endpoint detection and response tools to flag suspicious command‑line activity (T1059). Regularly review access logs and enforce least‑privilege principles to reduce the risk of credential misuse.

What to watch next: Expect further disclosures from the lawsuit investigation, potential regulatory notices from state attorneys general, and any updates on whether additional data types were involved.