A data breach at Aspire USA, which provides software services to money service businesses, exposed the personal information of over 161,000 individuals, according to
Aspire and its parent companies, Valsoft and AllTrust, could not determine which specific files the threat actor stole, according to the disclosure. The companies also did not disclose how exactly the threat actor gained access to Aspire's system.
AllTrust provides software operations to various money services businesses in the U.S., including grocery, retail, and money services chains. It offers products including check cashing solutions, bill pay and compliance services. As such, the stolen data might exacerbate problems with fraud at the victims' banks.
Aspire, AllTrust and Valsoft first detected unusual activity on a non-production computer belonging to Aspire on Feb. 14, 2024. The internal security team identified an in-progress file transfer and interrupted it mid-transfer.
A follow-up investigation launched with third-party cybersecurity and forensic specialists determined that an unauthorized actor accessed the network between February 12, 2024, and February 15, 2024.
Valsoft and AllTrust disclosed the data breach to the Maine Attorney General last week, according to the state. The companies said they had "recently completed" the task of identifying which individuals might have had their information stolen in the breach.
Representatives at Valsoft, AllTrust or Aspire did not immediately responded to a request for comment.
Reporting took more than a year
The companies said they began notifying customers about the breach on Feb. 27, 2025, more than a year after the initial breach occurred the previous February.
Some states specify the number of days a company has to report a data breach to individual victims, starting when the company first discovers the breach. Often, companies have 30 or 45 days, but exceptions are made in cases where law enforcement has requested the company not report the information publicly, as this can reduce the risk of an attacker covering their tracks.
In particular, Maine gives companies 30 days to provide this disclosure.
AllTrust said in its disclosure the notification had not been delayed by law enforcement, although the company had started coordinating with police upon learning about the breach.
The companies involved
AllTrust provides software operations services to various money service businesses throughout the U.S. The affected individuals were likely customers of these businesses who may have used AllTrust software to cash checks or pay bills.
Valsoft, based in Montreal, Canada, acquires and develops vertical market software companies globally. The company's model is to acquire, enhance and grow these businesses using a decentralized management approach, partnering with local management teams.
Aspire Software is an operating group of Valsoft Corp and runs as the operating arm of Valsoft. Aspire primarily focuses on operating and managing Valsoft's portfolio of software companies, specifically within the travel and leisure sector. Aspire, which managed the network where the breach occurred, is a subsidiary of AllTrust.
Data involved
Aspire, its parent companies and investigators were "unable to confirm which specific files within those systems were actually accessed or taken," according to the disclosure to the Maine Attorney General.
The companies' analysis of the data on the computer that the threat actor accessed indicates that the information that could have been subject to unauthorized access includes names, Social Security numbers, state issued identification numbers and financial account information.
The companies said the data breach potentially affected 161,359 people, who have been notified about the incident.
