Norwex USA Data Breach Exposes Personally Identifiable Info

Norwex USA, Inc. recently disclosed a significant data breach that exposed sensitive personal information. The breach was reported to various state attorney general offices, with disclosures made to California on December 27, 2024, Massachusetts and South Carolina on December 23, 2024, and Texas on January 7, 2025.

The breach affected a varying number of individuals across states: 1 person in Texas, 1 person in Massachusetts, and at least 1,000 people in South Carolina. The exact total number of individuals impacted nationwide has not been disclosed.

The compromised information includes highly sensitive personal and financial data, such as:

• Names
• Social Security numbers
• Driver's license numbers
• Payroll information (including salaries, performance reviews, and claims)
• Tax form information
• Dates of birth
• Mailing addresses
• Financial account information
• Payment card information
• Medical information
• Health insurance information

The breach was reportedly caused by a security incident that resulted in unauthorized access to Norwex’s systems. The company has not disclosed specific details about how the breach occurred or who was responsible, but the exposure of such a wide range of sensitive data highlights the severity of the incident.

For more details, you can review the disclosure filed with the California Attorney General's office, the Massachusetts Attorney General's office, the South Carolina Attorney General's office, and the Texas Attorney General's office.

Norwex USA, Inc's response

In response to the breach, Norwex USA, Inc. activated its incident response and business continuity protocols. The company took the following steps:

• Disabled certain system features to restrict further unauthorized access.
• Initiated an investigation with the assistance of external experts.
• Reported the incident to law enforcement.
• Implemented enhanced security measures across the company to prevent future breaches.
• Began restoring its systems once it was deemed safe to do so.

Additionally, Norwex has partnered with Identity Defense to offer affected individuals two years of free identity monitoring services. These services include identity protection support and assistance with resolving identity theft issues. Affected individuals have until March 25, 2025, to enroll in these services.

Steps you should take if you are affected by the data breach

If you believe your information may have been compromised in this breach, it is essential to take the following steps immediately:

1. Enroll in identity monitoring services: Norwex is offering free identity monitoring through Identity Defense. Visit app.identitydefense.com/enrollment/activate/Norwex and use your unique activation code to register before the March 25, 2025, deadline.
2. Monitor your financial accounts: Keep a close eye on your bank accounts, credit card statements, and other financial accounts for any unauthorized transactions.
3. Place a fraud alert or credit freeze: Contact the three major credit bureaus—Experian, Equifax, and TransUnion—to place a fraud alert or security freeze on your credit file. This will help prevent unauthorized credit activity in your name.
4. Obtain your free credit report: U.S. residents are entitled to one free credit report annually from each of the three credit bureaus. Visit www.annualcreditreport.com or call 877-322-8228 to request your report.
5. Be vigilant about phishing attempts: Avoid clicking on suspicious links or opening attachments from unknown senders. Verify the identity of individuals or organizations requesting sensitive information.
6. Report identity theft: If you suspect identity theft, report it to the Federal Trade Commission (FTC) at www.identitytheft.gov and file a police report.

For additional guidance, you can contact the FTC at 877-382-4357 or visit their identity theft prevention resources.