Cyber Incident Victim: Valex Corporation
Date:
Jun 2021
Location:
United States of America
Summary
Valex Corporation experienced a malware attack that compromised consumer data, including names, dates of birth, and Social Security numbers. The breach occurred over a two-day period, during which an unauthorized party accessed and removed data from the company's systems. Following discovery, the manufacturer of high-purity stainless steel components secured its infrastructure, initiated an investigation, and later confirmed the exposure of sensitive information. Notification letters were sent to affected individuals over a year after the initial incident detection. The delayed disclosure raised concerns about potential risks to victims, though the company cited system reviews and impact assessments as part of the response process.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Valex Corporation, a Ventura-based manufacturer of ultra-high purity stainless steel components founded in 1976, experienced unauthorized system access between June 30 and July 1, 2021. The company discovered a malware attack around July 1, 2021, prompting immediate containment measures including system security reinforcement and restoration of authorized access. Valex initiated an investigation to assess potential consumer data compromise, confirming that an intruder exfiltrated certain information from its servers during the two-day intrusion window. The forensic analysis could not differentiate between data merely accessed versus data both accessed and removed. By August 25, 2022, Valex completed its review of affected files, determining that compromised records included individuals' names, dates of birth, and Social Security numbers. The 14-month gap between breach discovery and public disclosure culminated in the company filing an official notice with the California Attorney General and dispatching individualized breach notifications to impacted consumers on that date.
The delayed notification timeline contrasted with standard breach disclosure practices, as threat actors typically exploit stolen data rapidly to maximize identity theft and fraud opportunities before victims can implement protective measures. Valex's investigation confirmed data removal from its systems but provided no specifics regarding attack vectors, malware variants, or total affected individuals. Corporate filings indicated Valex employs 333 personnel and generates approximately $28 million in annual revenue, operating within the industrial manufacturing sector. While the company cited system restoration and forensic review requirements as contributing factors to the disclosure delay, no evidence confirmed whether law enforcement investigations or operational constraints influenced the timeline. The compromised Social Security numbers and birthdates created significant fraud risks for affected individuals, as these data elements enable financial account takeover and synthetic identity creation. Valex did not disclose whether third-party cybersecurity firms assisted their response or if regulatory penalties resulted from the incident.