Consumer lender TMX Finance has disclosed a data breach that affected over 4.8 million people.
TMX Finance notified the impacted customers, hired external cybersecurity experts and filed a data breach notification with the Office of the Maine Attorney General.
Operating as TitleMax in about 1,000 stores in the United States, TMX Finance’s customers include those with limited access to banks due to poor or no credit.
Consumer lender TMX Finance confirms a data breach
TMX said it detected suspicious activity on February 13, 2023, and launched an investigation with global cybersecurity forensics experts. The investigation determined the threat actor gained access in early December 2022.
On March 1, 2023, TMX concluded that the threat actor obtained certain information between February 3, 2023, and February 13, 2023.
“We promptly began a review of potentially affected files to determine what information may have been involved in this incident. We notified the FBI but have not delayed this notification for any law enforcement investigation.”
TMX data breach leaked sensitive personal data
The consumer lender determined that the data breach exposed the victims’ names, dates of birth, passport numbers, driver’s license number, federal/state identification card numbers, tax identification numbers, social security numbers, and/or financial account information.
Additionally, the data breach leaked the basic personal data of 4,822,580 customers, including phone numbers, addresses, and email addresses.
Collectively, this information would be a goldmine for identity theft and phishing attacks.
Although the consumer lender believes the data breach was resolved, it was continuously monitoring its systems, implemented additional security measures, and has reset employees’ passwords.
Additionally, TMX is offering twelve months of complimentary credit monitoring and identity protection services. Meanwhile, the consumer lender advised customers to be on the lookout for fraud and identity theft by monitoring credit reports and financial statements and should not hesitate to report any suspicious activity to law enforcement.
“The victims of this breach can take several steps to protect themselves and minimize the risk of identity theft or other forms of fraud,” said James McQuiggan, security awareness advocate at KnowBe4. “First and foremost, regularly monitoring your credit reports and financial accounts is essential.”
McQuiggan also recommended checking for suspicious activity such as unfamiliar charges, changing passwords for online accounts, and enabling two-factor authentication.
The consumer lender has not disclosed the threat actor’s identity, the attack vector, or if any ransom demands were made. No cybergang has also claimed responsibility for the attack either.
Despite its best attempts to mitigate the impacts of the data breach, the consumer lender is likely to face serious regulatory actions, given the nature of the exposed data.
However, TMX is no stranger to lawsuits and fines stemming from its lending business model resembling payday loans.
The Consumer Financial Protection Bureau (CFPB) found TMX violated the Military Lending Act that caps interest rates for servicemembers at 36% by charging them above the maximum limit and several times over 100%.
TMX was accused of making over 2,670 prohibited auto title loans and charging unlawful fees on approximately 15,000 loans, hurting military families and other consumers.
Subsequently, the consumer lender was ordered to pay $5.05 million to redress consumer losses from the illegal fees and a $10 million penalty to the victims’ relief fund.