Personal, and Potentially Financial Data Exposed in ‘Contained’ Incident
The parent company of subprime lender TitleMax says hackers made off the Social Security numbers and financial account information of up to nearly 5 million individuals.
TMX Finance Corporate Services also operates the brands TitleBucks and Instaloans. It disclosed that hackers stole information over an 11 day period ending Feb. 14, although it tells affected customers that the hackers may have gained entry into its systems in early December.
The company notified the FBI and “believes the incident has been contained.”
The breach exposed the names, dates of birth, driver’s license and Social Security numbers of 4,822,580 people. The incident also exposed customers’ financial account information.
TMX brands have come under repeated federal scrutiny for its lending practices, which typically require a customer to put a car or motorcycle up as collateral. The Consumer Financial Protection Bureau fined it $9 million in 2016 and a further $10 million in February in an enforcement action that also required TMX to refund $5 million in fees to consumers.
The company advertises loans with reasonable interest rates but the true annual costs of borrowing add up to as high as 179%, a January investigation from ProPublica found. TMX did not immediately respond to a request for comment about the investigation or the data breach.
Even as it continues to probe the incident, the company says it has implemented additional endpoint protection and monitoring solutions, reset employee passwords and is offering a year’s worth of credit monitoring and identity protection services to affected customers.