Crown Equipment victim of a cyber attack? – sites and production down

Sicherheit (Pexels, allgemeine Nutzung)[German]According to my information, the forklift manufacturer, Crown Equipment Corporation, has been the (possibile) victim of a cyber attack. The websites are no longer accessible – and employees are being sent home. Production plants has been shut down since Monday, June 10, 2024). In the USA, it is said that people have not been paid either. Officially, the company is tight lipped – here is the information I have researched.


Advertising

Who is Crown Equipment Corporation?

Crown Equipment Corporation is the world's fifth largest manufacturer of forklift trucks, industrial trucks and high-rack conveyors. The US company is headquartered in New Bremen, Ohio, United States.

There are four other regional company headquarters in Australia, China, Germany and Singapore. The European company headquarters in Feldkirchen near Munich in Upper Bavaria is responsible for the Europe, Middle East, Africa and India region. There also appears to be a production facility in Roding, in the district of Cham, Bavaria, Germany.

Worldwide IT outage – production down

German blog reader Christian Z. sent me yesterday an e-mail drawing my attention to a report in the Mittelbayrische newspaper (thanks for that), which talks about worldwide IT system outage at this company. The Crown website (crown[.]com) is not available.

crown.com is temporarily unavailable

Any attempt to visit the web site end with the message "crown.com is temporarily unavailable" (see the screenshot above). Wouldn't be a problem yet, maybe the web server is down or under maintenance. But the Mittelbayrische report doesn't sound good in this context.


Advertising

  • Since Monday, June 10, 2024, production at the forklift truck manufacturer's two sites in Roding (Cham district in Germany) has been at a standstill.
  • The switchboard is dead, so the manufacturer cannot be reached by phone.
  • Crown's website (crown[.]com) is down worldwide.

And there are reports of IT problems worldwide. Some of the employees from Roding were sent home. According to the report, the Crown managing director on site in Roding was unable to say exactly what had happened. There are recent posts on the company's Facebook pages, but no explanation of what is going on. The Bing crawler was last able to visit the page on June 9, 2024. With the overall picture above, I'm guessing a ransomware attack.

Was it a Cyberattack?

While des Management of Crown Equipment Corporation is tight lipped, my blog readers provided me with references to sources, explaining what happens. Sandra postet a comment linking to this tweet saying:

thanks for letting your servers be hacked and not paying your employees. It's not like we have bills or anything. I thought I worked for a better company.

It's obviously an employee, that is struggling now, but this is a "suspicion". And I found a 2nd tweet, a reader forwarded to me (thanks to all my sources).

Hey Jon I work for Crown Equipment, billion dollar company with 19,000 plus employees. We were hit with a cyberattack and are currently not working. Now they tell us no pay! This after bragging about being an employee first company, have to love corporate America.

It's the 2nd independent confirmation, that Crown Equipment Corporation coudl be ictim of a cyber attack. At reddit.com there is a thread Crown Lift Trucks experiencing phishing hack. Company told staff to stay home for "further updates" and told them to seek unemployment while systems are offline, somebody startet with:

2 days now we've been kept in the dark. No way to clock time, no service manuals or parts manuals but still expected to be billing. It's been a shitshow and no updates on what's going on or when we'll be back online

An ex-employee from this area writes:

As someone who has worked with Crown forklifts for about a decade, this is the price the company gets for moving away from books and psrt (name of parts and service catalog) offline on an SD card in an Android tablet.

Looks like Crown was fully digitized. An employee of the company outed himself in the thread and wrote:

I currently work there. Everyone is desperate, can't order parts except from TVH and that's for emergencies only. The company has not yet officially announced that it has been hacked, but they keep emphasizing the importance of MFA. We can read between the lines.

What strikes me: there is no public announcement of what happened to the company. And the mention of multifactor authentication (MFA) in the context of the phishing attack mentioned above completes the picture.

Incidentally, during my research I also noticed that Crown has been looking for cybersecurity experts in the past. If somebody has further insights, feel free to drop a comment or contact my via e-mail (see the about page), if discretion is required.

More information I got

Now I got more and more feedback from sources involved in that matter. Some workers say they don't get payed (see also this reddit.com thread). I've heard that they will try on "Monday" a manual payment for their workers – but people asked to take vacation time or asked for unemployment.

Investigative journalist George Webb has a video statement on X, which doesn't reveal details what's going on at Crown Construction, but shed light on the company structure of the owners.

The information I got from multiple sources spread from "hacking attempt, somebody just opened a file, but systems shut down immediately" (see post from mightbeBOND in this reddit.com thread), to "installed a fake VPN and gained control to everything" (see comment from DragonflyJust2223 at reddit.com) up to "they have it all, blue prints floating in the internet" (see Derrickspartan1's post within this reddit.com thread).

Insides from the company

I've seen also some advices from Crown HR department dealing with lost work shift for hourly employees, advice to technicians and sales people and so on. Within this advices employees are instructed, not the clear the data from their tablets and await additional directions.

In a statement all employees was told that "the department" has implemented additional "system security measures". The timeout function of multi factor authentication (MFA) has been "reduced effective immediately". All employees will experience an increase in the number of prompts when accessing system resources. They shall ignore MFA prompts, if not attempting to access resources and call an internal telephone number.

They told it's employees also, that a temporary policy is in place, restricting access to Office 365 (so applications as E-Mail, Teams, SharePoint and OneDrive) are only available on company devices. It was mentioned that this "additional system security measures" are important to recovery efforts into getting the systems back up and running.

It wasn't a hack, it was a coding error

The latest information I got from a reader, who claims, that "Crown was not actually hit by a cyber attack". Instead it's probably a "coding error" who send their software system (crown 365), used for everything from payroll to email to sales to catalog services, downhill. But how probable is a "coding error", that forces all systems offline for a week? In such cases a backup might bring all systems back within hours.

An example how not to deal with such an incident

Pretty much speculation at all. What we know for sure: All their IT systems are down and they are working manually or shut down their production plants worldwide.

Let's hope for all customers and employees, that things get sorted out on Monday (June 17, 2024). This is an excellent example, how such an incident should not be handled by a company's management – just a short note "Hello, we have a global outage of our IT systems, because it's … [ ]a technical issue / [ ]a cyber incident" would keep customers informed and ends speculation (except, the note is based on false claims). I asked on Facebook for a statement a few days ago, but no answer till yet.

Update from June 19, 2024: Crown has informed it's employees, that a ransomware attack has grounded their it system. All further details and discussions will be found within my new blog post Crown Equipment Corporation victim of a Ransomware attack.


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security and tagged . Bookmark the permalink.

31 Responses to Crown Equipment victim of a cyber attack? – sites and production down

  1. Anonymous says:

    Considering that they shut down everything, including payroll, I wonder if there is anything that employees can do with the fact that Crown has completely refused to announce the potential breach of personal information to its employees.

  2. Chris M Hernandez says:

    My grandson-in-law came by today and told me that they are told they will get an update on what to expect moving forward. The gossip is that the ransom wanted is $250,000,000.00. They have been told to seek unemployment benefits. He wants to hold out and go back, but said he may return to his old job since they want him to return. He also said that after speaking with friends from work, many will look for other jobs if they don't hear anything more substantial by Monday because they can't wait for this to be resolved. He works at the New Bremen facility.

  3. TFF says:

    The company has been trying it's best to resolve whatever issues have been going on. It's my point of view that Crown Equipment Corporation is keeping the needs of the employees in mind as best as possible. Everyone has a part to do in times of struggle. It is not solely headquarter's responsibility to get and keep the company moving forward.

    • Anonymous says:

      It's absolutely crowns responsibility to keep things moving forward! Hourly employees do their part but when Family oriented Crown who takes care of their employees says you cannot come to work which as of now is 7 days with no pay is a problem! So please enlighten me on whos responsibility it is to keep things moving forward. You must be salary?

    • Lot says:

      Yes it is. How can somebody help move the company forward when they won't even tell them what's actually going on?

    • Garrett says:

      Are you a supervisor or something cause that is the biggest bull dung Ive ever heard.

    • Anonymous says:

      The company has not kept employees best interests in mind as they are keeping us all in the dark about everything. Forcing us to use our own vacation time so we don't lose pay or filing for unemployment meaning losing a whole week of pay plus it only covers partial paychecks. Jim Dicke is willing to pay the 250 million in ransom but refuses to cover employees pay.

  4. Advertising

  5. Anonymous says:

    It has been almost a week now. we are on the 4th day. hourly employees in new bremen HAVE NOT been told to contact unemployment. our latest call we've received is to use vacation or personal time or receive no pay.

    • Anonymous says:

      Wrong. You didn't listen

    • Anonymous says:

      The employees were called on a Saturday for the unemployment deadline being midnight that night and nobody in office to help when their website would not work for multiple people. Factory workers are called off for the second week with no pay until June 24th.

  6. Anonymous current employee says:

    It's past time for Crown to come clean and make a public statement. Everyone knows at this point they were a victim of a cyberattack. Rather than allow rumors to grow the owners need to suck it up and make a public statement. It's already being reported that some of there blueprints have been found on the internet. This is what happens to a company when you have singular point of data security and no cybersecurity team to manage your information.

  7. Doug Hoying says:

    This in not surprising considering Joe Biden probably gave away TONS of American secrets to anybody who asked for them.

    • guenni says:

      I'm not an US citizen, but can you explain that with concrete examples? US President Joe Biden is only able to gave away political American secretes – other secrets based in companies can only be gave away from these source – imho.

    • Anonymous says:

      Donald Trump was indicted for stealing classified government documents and selling them to the highest bidder. He even admitted taking them, and has refused to return them. Joe Biden? This is projection at it's best, LOL.

  8. Anonymous employee.crown says:

    I don't know about anyone else, but I've been getting 30 plus spam calls and texts every day now since early Monday. I've been worried about my personal information being out there if this was in fact a hack job.

  9. Anonymous says:

    hi all,
    i placed an order with crown about a month ago. i think who ever has been in their system has been in their for a while as. on multiple times i have requested a invoice to pay for the good requested. i have filled out all the paper work and given them time to process but it has been about four week and i have still not been given an invoice to pay for the goods.
    the rep has lied to me about what is happening about the order and has not been replying to my phone calls or emails. i have called the main line that i got in the email footer and im being told that the call, email and internal it systems have been down for about two weeks. the rep stated that they have been using paper and pen to take down notes about whos calling and when.
    i have signed the documents but they have not delivered and due to this i think im going to take my business to a different suppler, the one who sponsored the olympics in that country, you know the one. i think ill get better service from them. :)
    FUCK CROWN, SUPPORT YOUR EMPLOYEES AND CUSTOMERS

  10. Anonymous says:

    Not necessarily…the US gov't has plenty of info on both US and foreign corporations. If leaking something about one would benefit he or his family, I wouldn't put it past him…

  11. Anonymous says:

    The George Webb stuff isn't even talking about the correct Crown Company. There is no Henry Crown associated with Crown Equipment Corporation and never was.

  12. Employee says:

    I've worked for crown for 15years the people that work the hardest to build these forklifts seems to be the only people not getting paid I feel if we can't get paid salary people and people high up on the food chain should not get paid as well. Thought we worked for a family oriented company. Probably won't see crown name on top 100 companies to work for in this country next year. We will see how this turns out. Ball is in your court crown. Make your employees happy

    • Go Flyers says:

      My husband works at New Bremen. He went in yesterday because he didn't get a call. He saw two people doing his job that had years less seniority. When he asked about it, his supervisor said he would have to call his bosses boss to ask. When my husband tried to call, they are unable to transfer calls. He felt defeated and upset. He went to unemployment office yesterday. And yesterday he had an unauthorized bank charge where somebody tried to purchase $200 worth of hair products. He had to request a new card. It makes me wonder if the people that hacked now have access to card/bank info too. Just letting people know to check and possibly get a new card. Hope he gets paid this Friday, but I can't imagine them printing or writing that many checks.

  13. Anonymous says:

    I agree that the company needs to give a statement. I currently work there and all I've heard is rumors! Why is it so hard to be open and honest with your employees? If you know it's going to take awhile, say that! we've been getting calls almost every day since this has started but it's just bs and not telling us the complete truth. I absolutely understand that horrible stuff like this unfortunately happens but they need to remember the employees! I'm sure salary employees are still getting paid and that's not fair to the rest of us!!

  14. Anonymous says:

    also, got the call this evening that we are off for another week!!

  15. Bb says:

    How can you just shut out your employees? Not tell them anything… then keep them out of work until the 24th! Last phone call from today on Monday June 17th says return date is now Monday June 24th! Unless we get another call on Monday! And file for unemployment? That's 390.00 a week ….. at the most in Indiana…. And that's not even a fraction of what my husband gets paid…. How are people going to make house payments and rent payments with absolutely nothing?! My husband was so excited to work at crown when he first started… and now years later after bustin ass at work – bc of the company these people need to use their vacation time!? Their personal time?! Or file for unemployment?! That's something I would expect a crappy factory to do. This is just crazy and I didn't even thiiiink about how everyone is supposed to get their paychecks?! Ummmm so u take their hours and take money from these families – but then when it's payday are they even gonna be able to pay people for their one week bc payday is this Friday! This should be covered by insurance. You can't just send home tens of thousands of people and not pay them. But right- pay all the salary people?! The hourly workers are the ones you need to build these damn forklifts.

    • RS says:

      I completely agree with your statement. My husband has worked with this company for over 8 years for them to tell him to return to work yesterday..then shows up to work just for them to tell him to come back on 6/24 is ridiculous. People have bills to pay and mouths to feed and insurance should be able to cover time out of work or atleast 1/2 a paycheck without taking their PTO time away from them.

  16. Plane Stupid says:

    Follow the assets. The last time the corporate jet was out was June 11 when it made a round trip to San Antonio, TX.

  17. A stressed employee says:

    Don't forget to mention the big cyber security attack on Microsoft. Microsoft office 365. This goes a lot deeper than we think. I work at Crown and this Is devastating. Who's going to go after Microsoft? After all they created 365 not Crown. Crown should pay us all and then go after the big dogs for all this shit. I also feel like everything should not be digital in the first place. A code error would have been easier to recover from and not cause this kind of chaos. I'm waiting to see what company is going to be next.

  18. Anonymous DFW Technician says:

    Current field service technician here, we are being kept completely in the dark. We don't even have work across the entire DFW metroplex because our call system is down. Even if you take a call, there are no details about the unit. You get there and find the unit and do your best to diagnose it (no service manual) and once you find the failed part (no parts manual) you have to take a trip to the shop where the parts staff is being told not to come and the managers are doing nothing to mitigate the situation. No one at my branch seems concerned that their information is at risk and with the severity of this. I will be quitting anyways though and working for another company, actually today after I aimlessly wander around my customers to find someone to service. I don't think Crown is too big to fail at all though. This company is outdated, corrupt and poorly engineered. Now other people are suffering from that neglect

  19. Anonymous unpaid Crown employee says:

    Crown is a POS….won't pay their hourly employees but will have the lots paved while they are shut down. That's complete BS. I hope whoever is doing the paving got paid upfront because they won't get paid now. The Dickie family needs to be honest with the employees for once in their life. Maybe if all the hourly employees gathered in front of Dickies mansion in New Bremen they'd wake up. But then again the Dickie family owns New Bremen Police as well as all of New Bremen. Where's all the media in this area….why aren't they demanding answers form the Dickie family.

  20. Sam Shriver says:

    I'm a news reporter for the Van Wert Times Bulletin, which is near the Celina facility.
    I welcome any Crown Equipment employee to go on the record to discuss what you're going through and what you've been told about the "cyber attack".

    sshriver@cherryroad.com

Comments are closed.