The Valsoft data breach has affected more than 160,000 individuals, with sensitive personal information exposed during a security incident earlier this year. The Canada-based vertical market software company—operating under the name AllTrust—confirmed the breach, which occurred in February 2025, impacted one of its subsidiaries, Aspire USA.
The breach was uncovered on February 14, when Aspire’s internal security team detected a suspicious file transfer happening in real-time. Acting quickly, the team was able to interrupt the unauthorized activity mid-transfer, likely preventing even greater data loss.
According to AllTrust, the attackers had access to Aspire’s non-production network environment for roughly three days—from February 12 through February 15. While some data was stolen, the company stated it couldn’t determine exactly which files were accessed. Despite this uncertainty, AllTrust insists the breach presents a minimal risk of harm to those affected, thanks to their prompt response.
However, the exposed systems did hold a range of personally identifiable information (PII), including full names, driver’s license numbers, Social Security numbers, and financial account details. Although there is currently nob evidence of actual misuse, AllTrust began notifying affected individuals on February 27, out of what it calls “an abundance of caution.”
This week, the company reported to the Maine Attorney General’s Office that 161,359 individuals were impacted. To support those affected, AllTrust is offering a year of free credit monitoring services and identity protection.
In response to the breach, the company has rolled out new cybersecurity measures, launched an internal review of its policies, and notified regulatory authorities across relevant states.
The Valsoft data breach highlights the growing threat of cyberattacks even on internal and development environments, reinforcing the need for stronger endpoint monitoring, swift incident response, and data encryption practices across all business units.
