8-K

Check the appropriate box below if the Form 8-K filing is intended to simultaneously satisfy the filing obligation of the registrant under any of the following provisions:

Indicate by check mark whether the registrant is an emerging growth company as defined in Rule 405 of the Securities Act of 1933 (§230.405 of this chapter) or Rule 12b-2 of the Securities Exchange Act of 1934 (§240.12b-2 of this chapter).

Emerging growth company ☐

If an emerging growth company, indicate by check mark if the registrant has elected not to use the extended transition period for complying with any new or revised financial accounting standards provided pursuant to Section 13(a) of the Exchange Act ☐

Items reported in this filing:

Item 1.05 Material Cybersecurity Incidents

Item 7.01 Regulation FD Disclosure

Item 9.01 Financial Statements and Exhibits

Item 1.05 Material Cybersecurity Incidents.

As previously disclosed on August 21, 2025 in a Current Report on Form 8-K filed with the Securities and Exchange Commission (“SEC”), on August 16, 2025, Data I/O Corporation (the “Company”) experienced a ransomware incident (the “Incident”) on certain of its internal IT systems. Through ongoing discovery and investigation efforts, the Company has determined that the Incident was not targeted but originated as a vulnerability of a commercially available third-party firewall service provider. The Company engaged leading cybersecurity experts to support the IT system recovery and conduct a comprehensive investigation. Through dealing with this Incident, the Company has improved and strengthened its IT systems and based on the findings, the Company does not believe any additional actions are necessary.

As of the date of this filing, the Company has restored the affected systems and the Incident has been completely contained and remediated. The Incident temporarily impacted the Company’s operations, including internal/external communications, shipping, receiving, manufacturing production, and various other support functions, which are fully operational as of the date of this filing.  As of the date of this filing, it does not appear that any revenue has been lost as a result of the Incident.  As of September 9, 2025, the estimated costs related to the Incident for remediation, restoration and investigation efforts are expected to total approximately $388,000 in expenses in the third quarter ending September 30, 2025 and will likely have a material impact on the Company’s results of operations and financial condition.

Safe Harbor/Forward Looking Statement and Disclosure Information

This Current Report on Form 8-K contains forward-looking statements made pursuant to the safe harbor provisions of the Private Securities Litigation Reform Act of 1995, such as the Company’s expectations or beliefs regarding future events, actions or performance related to the Incident, including the results of the Company’s investigation of the Incident, the impact of the Incident on the Company and its financial condition and results of operations. Forward-looking statements typically are identified by use of terms such as “anticipate,” “believe,” “expect,” “project,” “may,” “will,” “should,” “could,” “likely” and similar words. Except as required by law, the Company undertakes no obligation to publicly update or revise any forward-looking statements, whether as a result of new information, future events or otherwise. The Company’s actual results could differ materially from those contained in forward-looking statements due to a number of factors, including the impact of the Incident, the results from the Company’s investigation of the Incident, and other risks and factors described by the statements under “Risk Factors” in the Company’s most recent Annual Report on Form 10-K and in its subsequent filings with the United States Securities and Exchange Commission. ****

Item 7.01 Regulation FD Disclosure.

On September 4, 2025, the Company issued a press release entitled “Data I/O Issues Update on Cybersecurity Incident”, attached hereto as Exhibit 99.0.

The information contained in the press release attached hereto is being furnished and shall not be deemed filed for purposes of Section 18 of the Securities Exchange Act of 1934, as amended (the “Exchange Act”), or otherwise subject to the liability of that section, and shall not be incorporated by reference into any registration statement or other document filed under the Securities Act of 1933, as amended, or the Exchange Act, except as shall be expressly set forth by specific reference in such filing.

Item 9.01 Financial Statements and Exhibits.

(d) Exhibits

SIGNATURE

Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.

daio_ex990.htm Exhibit 99.0

Data I/O Issues Update on Cybersecurity Incident

All Systems Operational with No Impact to Customers or Orders

Redmond, WA, September 4, 2025 – Data I/O Corporation (NASDAQ:DAIO), the leading global provider of advanced security and data deployment solutions for microcontrollers, security ICs and memory devices, today provided an update on the recently announced cybersecurity incident.

William Wentworth, the Company’s President and CEO, stated, “We are pleased to report that the ransomware incident as first identified on August 16, 2025 has been completely contained and remediated.  It was determined that the attack was not targeted but originated as a vulnerability of a commercially available third-party firewall service provider.  With the breach being remediated, at present all our systems globally have been restored.  We do not believe we have any risk exposure from the incident. After working diligently to restore the affected systems with leading cybersecurity experts, we believe our IT systems are now better protected than ever.   Equally important is that our order flow from bookings to deliveries is on track and we believe no revenue has been lost as a result of the incident.

“The remediation, restoration and investigation efforts are expected to total approximately $180,000 in expenses in the third quarter ending September 30, 2025.  However, on an annualized basis we have reduced about $300,000 from our spending through our ongoing efforts to optimize performance.  Through dealing with this incident, we have dramatically improved our corporate processes and strengthened our IT systems for enhanced security and scalability.  In the end, our business remains on course. We are grateful for the efforts and dedication of our global workforce and external advisors for their amazing response and recovery efforts.”

About Data I/O Corporation

Since 1972, Data I/O has developed innovative solutions to enable the design and manufacture of electronic products for automotive, Internet-of-Things, medical, wireless, consumer electronics, industrial controls and other electronics devices. Today, our customers use Data I/O’s data programming solutions and security deployment platform to secure the global electronics supply chain and protect IoT device intellectual property from point of inception to deployment in the field.  OEMs of any size can program and securely provision devices from early samples all the way to high volume production prior to shipping semiconductor devices to a manufacturing line. Data I/O enables customers to reliably, securely, and cost-effectively bring innovative new products to life.  These solutions are backed by a portfolio of patents and a global network of Data I/O support and service professionals, ensuring success for our customers.  Learn more at dataio.com/Company/Patents.

Safe Harbor/Forward Looking Statement and Disclosure Information

Statements in this news release concerning the impact of the cybersecurity impact on the Company’s business and financial results, economic outlook, expected revenue, expected margins, expected savings, expected results, expected expenses, orders, deliveries, backlog and financial positions, semiconductor chip shortages, supply chain expectations, as well as any other statement that may be construed as a prediction of future performance or events are forward-looking statements which involve known and unknown risks, uncertainties and other factors which may cause actual results to differ materially from those expressed or implied by such statements.

Forward-looking statement disclaimers also apply to the impact of the cybersecurity incident, demand for the Company’s products and the impact from geopolitical conditions including any related international trade restrictions as well as the ongoing investigation of the August 2025 cybersecurity incident and the possibility that the Company’s containment and remediation efforts may be unsuccessful or becomes a challenging force in maintaining market share. Factors that may impact the Company’s operations and finances include uncertainties as to the ability to record revenues based upon the timing of product deliveries, shipping availability, installations and acceptance, accrual of expenses, coronavirus related business interruptions, changes in economic conditions, part shortages, business disruptions and other risks including those described in the Company’s 10-K, 10-Q and other periodic filings with the Securities and Exchange Commission (SEC), press releases and other communications.

Data I/O may use its website ( www.dataio.com ) and investor relations page ( www.dataio.com/Company/Investor-Relations ), its X account ( @DataIO_Company ), and its LinkedIn page ( linkedin.com/company/data-io ) to disclose material non-public information and for complying with its disclosure obligations under Regulation FD. Accordingly, investors and other interested parties should monitor these sites, in addition to following Data I/O’s press releases, Securities and Exchange Commission (SEC) filings, public conference calls and public presentations/webcasts.

Contact:

Darrow Associates, Inc.

Jordan Darrow

512-551-9296

jdarrow@darrowir.com