TitleMax hack exposes 4.8 million customers' data

TMX Financial, which operates title loan brand TitleMax and other services, publicly disclosed on Thursday that it suffered a data breach exposing the personal information of 4.8 million people, including their Social Security numbers.

The company said in a letter to affected consumers that it detected suspicious activity on Feb. 13 and concluded on March 1 that there had been a breach starting in December. Hackers stole the data between Feb. 3 and Feb. 14, according to the letter.

The specific information involved in the breach, according to TMX, "may have" included names, dates of birth, passport numbers, driver's license numbers, federal or state identification card numbers, tax identification numbers, Social Security numbers, financial account information, phone numbers, street addresses and email addresses.

One measure financial companies can take to protect personally identifiable information (PII) on consumers is to collect less of it, according to James McQuiggan, a security awareness advocate for cybersecurity awareness training platform KnowBe4.

"One of the most critical steps companies can take to protect PII is collecting only the data necessary to conduct business and storing it securely so unauthorized parties cannot access it," said McQuiggan. "Organizations should also ensure that any third-party vendors or partners they work with are implementing strong cybersecurity measures."

Among financial companies, the breach is the largest so far this year to be reported to the Maine attorney general's office, which publishes reports about data breaches affecting any Maine resident.

The data breach is not the only trouble TMX has faced this year. The Consumer Financial Protection Bureau announced on February 23 that it would fine TitleMax $10 million for violating the Military Lending Act. TitleMax allegedly provided title loans to military families illegally and, oftentimes, by charging nearly three times the 36% annual interest rate cap, according to the CFPB — a practice that it has allegedly engaged in since 2016.

Debt collector NCB Management Services also reported a large data breach earlier this month. On March 24, the company told the Maine attorney general that hackers stole data from 490,000 consumers, specifically information about their ID cards and Bank of America credit card accounts. That breach did not impact Bank of America's systems, NCB emphasized in a letter to affected consumers.

So far this year, 10 other financial companies have reported data breaches affecting more than 500 people. The bank or credit union with the largest breach so far this year is Hatch Bank, which had 140,000 consumers' data stolen. In that case, hackers exploited a zero-day vulnerability in file-transfer software known as GoAnywhere, according to a letter the bank sent to affected customers.