NCH Corporation (“NCH”) understands the importance of protecting information regarding our employees and their dependents. This notice provides information about a security incident involving some of that information.

NCH and many organizations use Oracle’s E-Business Suite (“EBS”) software to help manage their operations. An unauthorized actor leveraged a previously unknown vulnerability in Oracle EBS to take information from numerous organizations’ Oracle EBS applications. We recently learned that we were one of those organizations.

Upon becoming aware of the incident, we immediately implemented our response procedures, took measures to secure our implementation of Oracle EBS, and launched an investigation with the support of third-party cybersecurity professionals. We also notified law enforcement and are supporting its investigation.

The evidence showed that an unauthorized actor obtained files from the NCH Oracle EBS application in mid-August. We reviewed the files and, on November 25, 2025, determined that one or more of the files contained information related to the NCH employee group health plan. The information included the names, dates of birth, Social Security numbers, and benefits elections information for certain health plan participants.

This incident did not involve all current and former NCH employees or their dependents, but only those whose information was included in the files involved.

On December 5, 2025, we began mailing notification letters to individuals whose information was identified in the files and for whom we have sufficient contact information. We have also established a dedicated, toll-free call center to answer questions individuals may have about the incident. Individuals with questions can call 888-360-9934, Monday through Friday, between 9:00 a.m. and 9:00 p.m. Eastern Time. We are providing all individuals with a complimentary membership to credit monitoring and identity theft protection services through IDX. Additionally, the notification letters remind individuals that it is always a good idea to be vigilant for incidents of fraud or identity theft by reviewing their account statements and free credit reports for any unauthorized activity.

To help prevent something like this from happening again, we applied the patch that Oracle developed for Oracle EBS after the vulnerability was discovered and took other measures to secure our Oracle EBS instance.