Cyber Incident Victim: Calcium Products Inc.

Calcium Products, Inc., an agricultural mineral powder manufacturer based in Ames, Iowa, publicly disclosed a data security incident on August 17, 2022, through a filing with the Massachusetts Attorney General's office. The company did not specify the nature or cause of the breach in its regulatory notification, nor did it identify the specific data types accessed by unauthorized parties. Industry observers noted that the decision to report the incident to state authorities strongly indicated the compromise involved sensitive consumer information subject to breach notification laws. On the same disclosure date, Calcium Products initiated distribution of data breach notification letters to affected individuals, though these communications reportedly lacked critical details about the scope of exposed data or the intrusion methodology. The company confirmed it had completed impact assessments to identify compromised parties prior to issuing notifications. As remediation, Calcium Products offered impacted individuals 24 months of complimentary credit monitoring and identity theft protection services via TransUnion, a response typically associated with breaches involving high-risk personal data such as Social Security numbers or financial information.

The breach impacted an undisclosed number of individuals whose personal information was stored on Calcium Products' systems, though the company's public communications did not specify whether employees, customers, or business partners were affected. With 97 employees and approximately $19 million in annual revenue, the manufacturer specializes in agricultural products including pelletized limestone and gypsum. While the breach notification did not quantify potential risks, industry data suggests identity theft resolution costs average $1,300 per victim with over 200 hours required for credit restoration. Calcium Products' breach response timeline showed a 17-day interval between the incident's discovery on July 31 and public disclosure on August 17, though no technical details about intrusion vectors, containment procedures, or forensic findings were released. The absence of compromised data specifics in notification letters limited victims' ability to implement targeted protective measures, leaving them to rely on generalized monitoring services provided through TransUnion. No subsequent disclosures clarified whether attacker access extended to proprietary agricultural formulas, operational technology systems, or financial platforms.