Valex Corporation Announces Data Breach Following Malware Attack | Console and Associates, PC

On August 25, 2022, Valex Corporation filed a formal data breach notice with the California Attorney General after the company allegedly suffered a malware attack that allegedly leaked consumer data. According to Valex, the breach resulted in the compromise of certain individuals’ names, dates of birth and social security numbers. After confirming the breach and identifying all affected parties, Valex Corp. began sending data breach letters to all affected parties.

If you have received a data breach notification, it is essential that you understand what is at risk and what you can do about it. To learn more about how to protect yourself against fraud or identity theft and what your legal options are following the Valex Corp. data breach, please see our recent article on the subject. here.

What we know about the Valex Corp data breach

Valex Corporation’s data breach information comes from the company’s official filing with the California Attorney General. Based on this information, around July 1, 2021, Valex determined that the company had been the target of a malware attack. After making this discovery, Valex secured its systems, restored access to authorized individuals, and launched an investigation into the incident in hopes of determining if any consumer data was affected.

Valex’s investigation confirmed that an unauthorized party gained access to its system between June 30, 2021 and July 1, 2021. The investigation also revealed that some data was deleted from Valex’s servers. However, the company could not distinguish between what data was accessed and what was accessed and deleted.

After discovering that sensitive consumer data was accessible to an unauthorized party, Valex Corp. began the process of reviewing all affected files to determine what information was compromised and which consumers were impacted by the incident. Although the information disclosed will vary depending on the individual, it may include your name, date of birth, and social security number.

On August 25, 2022, Valex Corp. sent data breach letters to everyone whose information was compromised as a result of the recent data security incident.

More information about Valex Corporation

Based in Ventura and founded in 1976, California, Valex Corporation is a manufacturer of ultra-pure stainless steel distribution system components. Some of the Company’s products include Stainless Steel Tubes, Pipes and Fittings, Alloy A22® Tubes and Fittings, ASME BPE Stainless Steel, Integral Manifolds and Assemblies, High Performance Ball Valves purity, ball valves for process cooling water and mini ball valves. Valex Corp. employs more than 333 people and generates approximately $28 million in annual revenue.

Why did Valex wait so long to file a data breach notice?

The Valex data breach was first discovered in June 2021; however, it appears the company only filed a formal notice of breach in August 2022. When did Valex know if any consumer data had been leaked? And if the company knew of a leak more than a year ago, doesn’t that increase the risk of identity theft and other fraud being committed against the victims of the breach in waiting to provide notice of an incident?

Surely hackers and other cybercriminals try to use any information they steal as soon as possible, long before consumers can cancel their credit cards and alert potential lenders. By acting quickly, hackers can also evade law enforcement. Thus, while waiting to give notice, a company gives hackers enough time to use the data for criminal purposes. That said, there are a few valid reasons why companies don’t immediately announce a data breach. Of course, there are also less compelling reasons to wait before announcing a data breach.

One possible explanation for a delayed breach report is that the company doesn’t realize it was hacked until weeks or months after the incident. In these cases, there is little a company can do if it is unaware of a breach. Of course, organizations with strong data security systems should be able to identify and contain a breach relatively quickly. So while companies can’t report a violation they don’t know about, that’s not exactly a good excuse.

Another reason a data breach may not be reported immediately is that the company is cooperating with a law enforcement investigation. In some situations, law enforcement asks victimized businesses not to report a breach so as not to alert hackers that the breach has been detected and is being investigated. By not reporting the breach, it gives law enforcement time to investigate the incident and potentially catch the criminals who orchestrated the attack.

Finally, another reason a company may not immediately report a breach is that they are in the process of reviewing leaked data to see what types of data were exposed and who was affected. Once a company becomes aware of a data breach, it must review the compromised files, which can take time. However, nothing prevents a company from issuing prior notice to all customers whose information may have been affected.

Of course, some companies don’t report a data breach because it’s not high on their priority list or because they fear public backlash. It’s too early to say why Valex waited over a year to let consumers know their information had been leaked, but it certainly raises some questions.

Luisa D. Fuller