On August 25, 2022, Valex Corporation filed an official notice of a data breach with the Attorney General of California after the company reportedly experienced a malware attack that leaked consumer data. According to Valex, the breach resulted in the names, dates of birth and Social Security numbers of certain individuals being compromised. After confirming the breach and identifying all affected parties, Valex Corp. began sending out data breach letters to all affected parties.
If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the Valex Corp. data breach, please see our recent piece on the topic here.
What We Know About the Valex Corp. Data Breach
The information about the Valex Corporation data breach comes from the company’s official filing with the Attorney General of California. Based on this information, on around July 1, 2021, Valex determined that the company had been the target of a malware attack. Upon making this discovery, Valex secured its systems, restored access to authorized individuals, and launched an investigation into the incident in hopes of determining whether any consumer data was impacted.
The Valex investigation confirmed that an unauthorized party was able to gain access to its system between June 30, 2021 and July 1, 2021. The investigation also revealed that certain data was removed from Valex’s servers. However, the company could not distinguish between the data that was viewed versus that which was viewed and removed.
Upon discovering that sensitive consumer data was accessible to an unauthorized party, Valex Corp. began the process of reviewing all affected files to determine what information was compromised and which consumers were impacted by the incident. While the breached information varies depending on the individual, it may include your name, date of birth and Social Security number.
On August 25, 2022, Valex Corp. sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
More Information About Valex Corporation
Based in Ventura and founded in 1976, California, Valex Corporation is a manufacturer of ultra-high purity stainless steel distribution system components. Some of the company’s products include stainless steel tube, pipe & fittings, A22® alloy tube & fittings, stainless steel ASME BPE, manifolds & integrated assemblies, high-purity ball valves, process cooling water ball valves, and mini ball valves. Valex Corp. employs more than 333 people and generates approximately $28 million in annual revenue.
Why Did Valex Wait So Long to File Notice of a Data Breach?
The Valex data breach was first discovered in June 2021; however, it appears as though the company did not file an official notice of the breach until August 2022. When did Valex know if consumer data was leaked? And if the company was aware of a leak over a year ago, doesn’t it increase the risks of identity theft and other frauds being committed against victims of the breach by waiting to provide notice of the incident?
Definitely, hackers and other cybercriminals try to use any information they steal as soon as possible—well before consumers can cancel their credit cards and alert potential lenders. By acting quickly, hackers may also evade law enforcement. Thus, by waiting to provide notice, a company gives hackers ample time to use the data for criminal purposes. That said, there are a few valid reasons why companies do not announce a data breach immediately. Of course, there are also some less compelling reasons for waiting to announce a data breach.
One possible explanation for a delayed breach report is that the company doesn’t realize it had been hacked until weeks or months after the incident. In these cases, there is little a business can do if it is unaware of a breach. Of course, those organizations with strong data security systems should be able to identify and contain a breach rather quickly. So, while companies can’t report a breach they are unaware of, that isn’t exactly a good excuse.
Another reason why a data breach may not be reported immediately is that the company is cooperating with a law enforcement investigation. In some situations, law enforcement agencies ask victimized businesses to hold off on reporting a breach so as to not alert hackers that the breach has been detected and is under investigation. By not reporting the breach, it gives law enforcement time to investigate the incident and, potentially, catch the criminals who orchestrated the attack.
Finally, another reason why a company may not immediately report a breach is that the company is in the process of reviewing the leaked data to see what data types were exposed and who was affected. Once a company learns of a data breach, it needs to review the compromised files, which can take time. However, there is nothing stopping a company from issuing a preliminary notice to all customers whose information may have been affected.
Of course, some companies don’t report a data breach because it isn’t high on their list of priorities or because they fear the public’s backlash. It’s too early to tell why Valex waited over a year to provide consumers with notice that their information had been leaked, but it certainly raises a few questions.