CHICAGO — According to the Allianz Risk Barometer for 2025, cybersecurity risk remained the top business concern in the United States and worldwide over the past year.
The types of “cyberattacks” in businesses include ransomware, data breaches and IT (information technology) disruptions.
As laundry equipment and technology become more digital with internet access and cloud-based applications, industrial and institutional operators should be aware of the possibility of cyberattacks and how to defend against them.
DATA, DISRUPTION
Steve Levenkron is vice president of information technology for PureStar, a commercial laundry hospitality laundry company. It has 13 regional brands with 36 facilities across three countries and in 22 major U.S. markets.
He says industrial laundry operations don’t have a lot of data that would be of interest to hackers and cyberattackers, but there is back-end information that could hold some value.
“Any company that employs a lot of folks, if you don’t have your network segregated, (hackers) could come in and get your payroll data, Social Security numbers, etc.,” he points out. “Again, the reason we’re not that big a target for it, say they wanted to get into bank accounts. Most of the employees are minimum-wage employees, so they’re not very valuable assets to sell.
“The only reason they would want to do it, like I said, is to get client data and information. Maybe get to client billables information, our billing information. Then they could run a typical scam where, because some of our clients do pay us good fees, they get that client billing contact information and send a fake email saying (they’ve) changed our information, so now wire your payments to here, which is obviously their bank account.”
Levenkron says that many smaller laundry operations use QuickBooks®, and they’re running the program locally, which is an area of vulnerability.
“We’re using major SAS (statistical analysis systems) vendors; they’re locked down,” he shares. “Getting to that data, it’s not very easy. Again, even the data itself, when you think about the data we have on our clients, because we don’t have direct tie-ins to our clients, there’s no connectivity.
“I came from staffing and engineering consulting where we did have direct connectivity into the client systems. Here, for the most part, you don’t. It’s not like hacking into us, you can get into the client’s network. Then, if you wanted the client’s info from us, we don’t really have sensitive client info. The only info we have about the client is who we send the bill to and their laundry history, which is probably not something a hacker’s interested in.”
Attackers typically aim to disrupt operations, exfiltrate sensitive data or extort money via ransomware, shares Anupam Swami, senior IT director for Prudential Overall Supply in Irvine, California.
“Compromising an industrial laundry can halt automated machinery controlled via Wi-Fi or IoT (Internet of Things) devices, impact logistics and distribution systems, and leak confidential customer and employee data,” she points out. “This can damage brand reputation, violate regulatory compliance (e.g., HIPAA or CCPA), and cause significant financial losses.”
Swami shares two instances where cyberattacks negatively affected an industrial laundry operation.
“A ransomware attack locked users out of email, payroll, and timecard systems, halting critical operations and causing disruption,” she describes. “In another instance, a vendor supporting an industrial laundry was hit by ransomware, delaying garment delivery and exposing the risks of third-party vulnerabilities.”
CYBERSECURITY EDUCATION
Levenkron says that some equipment vendors, such as for rail systems, are working toward making their equipment internet-accessible so that a chief engineer can see the rail system from their phone, their tablet, etc.
“Does that mean because it’s internet-accessible, does that expose it more? Yes, but again, is it something an attacker would want to go after? Probably not,” he says.
“Could they, through a vulnerability, get to a laptop of someone and then does that laptop connect to something? Yes. We just have to make sure it’s not a large number of people, and you have to make sure these laptops lock down properly.
“Employee education is key. That’s one thing we’re putting in place here.”
Email remains a very common attack vector, according to Swami. She says that operators must implement continuous cybersecurity awareness programs, including simulated phishing campaigns and scenario-based training.
“Employees should be trained to recognize suspicious links, protect credentials and report anomalies,” she says. “Adopting a recognized cybersecurity framework — for example, Center for Internet Security (CIS) Controls, National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) — ensures standardized policies, routine vulnerability scanning and even dark-web monitoring for compromised credentials, all of which help create a culture of cyber hygiene.”
Protection begins with a layered cybersecurity approach, according to Swami.
“This includes educating employees, enforcing strong password policies and implementing endpoint protection across all devices,” she shares.
“Equally critical is vendor risk management — ensuring third-party software and systems comply with industry-recognized security frameworks like NIST or ISO/IEC 27001. Regular audits, patching schedules, secure cloud configurations and application security reviews should be part of ongoing risk mitigation efforts.”
Levenkron cautions that although he says industrial laundries aren’t major targets for cyber attackers, that doesn’t mean operators shouldn’t do their proper diligence.
“There is a lot of data to flow, but the data is about sheets, and we use it for productivity,” he says. “It’s not of interest, but that doesn’t mean you don’t have to protect it. Do the right things.
“Don’t get lazy, don’t rest on your laurels, don’t get into a false sense of security because you know, even though a breach happens and nobody cares about the data, you don’t want to have to announce (you’ve) had a breach.
“It’s still a black eye and your competitors can use it against you. And customers don’t like to hear that about one of their vendors.”
Click HERE to read part 1 about the vulnerability of industrial and institutional laundries.
Have a question or comment? E-mail our editor Matt Poe at [email protected].
