TMX Finance and its subsidiaries TitleMax, TitleBucks, and InstaLoan have collectively disclosed a data breach that exposed the personal data of 4,822,580 customers.
TitleMax is a lending business operating 1,100 stores across the U.S., TitleBucks is a car title loans service, and InstaLoan is a fast-approval personal loan service for those with bad credit.
In a data breach notification letter sent yesterday to impacted individuals, the Canadian finance giant informs that hackers breached its systems in early December 2022 but did not detect the breach until February 13th, 2023.
After completing the internal investigation on March 1st, 2023, TMX found that the network intruders had stolen client information between February 3rd and 14th, 2023.
“On February 13, 2023, we detected suspicious activity on our systems and promptly took steps to investigate the incident,” reads the data breach notice.
“Based on the investigation to date, the earliest known breach of TMX’s systems started in early December 2022.”
“On March 1, 2023, the investigation confirmed that information may have been acquired between February 3, 2023 – February 14, 2023.”
TMX says that the following customer data was exposed during the security breach:
- Full name
- Date of birth
- Passport number
- Driver’s license number
- Federal/state identification card number
- Tax identification number
- Social security number
- Financial account information
- Phone number
- Physical address
- Email address
TMX believes the security incident has now been contained but continues monitoring its systems for suspicious activity.
Additionally, the company has implemented endpoint protection and monitoring and reset all employee account passwords to block access through potentially compromised internal accounts.
The firm’s data breach notice also encloses instructions for individuals to enroll for a free 12-month identity protection service through Experian and request a security freeze.
TMX says it has notified the FBI of the security incident but did not withhold the distribution of the notice to impacted clients to allow law enforcement to investigate.
“We encourage you to remain vigilant against potential identity theft and fraud by carefully reviewing credit reports and account statements to ensure that all activity is valid,” concludes the letter.