Universal Pure: Six Week Network Intrusion Exposes SSNs and Medical Data

Universal Pure LLC, North America's largest high pressure processing (HPP) service provider for the food and beverage industry, has disclosed a data breach affecting individuals across multiple states. According to filings submitted to the Maine, New Hampshire, and Texas attorneys general beginning April 21, 2026, threat actors maintained unauthorized access to company systems between July 10 and August 20, 2024, exfiltrating files containing Social Security numbers, driver's license numbers, financial account data, and medical information. Texas reported the largest affected population with 1,179 residents impacted.

What Happened

Between July 10 and August 20, 2024, unauthorized actors accessed Universal Pure's computer systems and exfiltrated files on separate occasions across the roughly six week intrusion window. Universal Pure identified the suspicious activity on August 20, 2024, the same date the intrusion window ended, and immediately moved to secure its network and launch an investigation. A detailed review of affected systems and files to determine which individuals were impacted was not completed until August 7, 2025, nearly one year after discovery. The company then worked with a notification vendor to validate mailing addresses through the National Change of Address database, a process that concluded on April 15, 2026. Consumer notification letters are dated April 21, 2026, roughly 20 months after initial discovery.

What Was Taken

Exposed data varies by individual but may include:

Full names
Social Security numbers
Driver's license numbers
Financial account information
Medical information
Health insurance information

State attorney general filings report one Maine resident, three New Hampshire residents, and 1,179 Texas residents affected. The combination of government identifiers, financial data, and protected health information represents a full identity theft toolkit per affected record.

Why It Matters

Universal Pure sits at a critical junction in the North American food and beverage supply chain, providing HPP services to a broad customer base of producers. A six week dwell time with repeated exfiltration events at an infrastructure provider of this scale indicates either an opportunistic intrusion that went undetected or deliberate targeting of supplier-held employee, contractor, or customer records. The 20 month gap between discovery and notification also raises material concerns about state breach notification statute compliance and leaves affected individuals exposed to identity fraud with no protective monitoring in place for the duration.

The Attack Technique

Universal Pure has not publicly attributed the incident to any known threat actor and has not disclosed the initial access vector, the specific systems affected, or whether ransomware or extortion was involved. The multi week dwell time with discrete exfiltration events is consistent with human operated intrusions typical of financially motivated access brokers and extortion groups targeting mid-market manufacturing and food sector firms throughout 2024. The absence of a public leak site posting to date suggests the data may not have been monetized through standard double-extortion channels, or the incident was resolved prior to publication.

What Organizations Should Do

Deploy network egress monitoring and data loss prevention tooling capable of detecting anomalous outbound file transfers over extended windows, not just single large exfiltration events.
Tighten detection on identity-adjacent file shares storing HR, payroll, and benefits data containing SSNs, DLs, and health information that drive disclosure obligations.
Review and rehearse incident response and breach notification timelines against state statutes such as Texas, Maine, and New Hampshire, several of which carry strict post-discovery notification windows.
Conduct tabletop exercises that stress the forensic review phase, which consumed nearly a full year in this case, and identify whether external counsel or DFIR retainers could compress timelines.
Audit supplier and processor contracts in the food and beverage vertical to confirm breach notification clauses cover third-party infrastructure providers such as HPP tollers and co-packers.
Enroll any personnel whose data was held by Universal Pure in the offered Cyberscout credit monitoring and layer additional credit freezes where appropriate.

Sources: Universal Pure Data Breach Exposes Sensitive Personal Information