Failure to follow industry data standards at TMX enabled major data breach that permanently comprises almost 5 million identities.
A class action lawsuit was recently filed against U.S. consumer lending giant TMX Finance alleging that the theft of personal identifying information comprising nearly 5 million people was the result of “negligent and/or careless acts and omissions” on the part of the lender.
TMX subsidiaries affected by the breach include TitleMax, a lender with 1,100 locations nationwide; TitleBucks, a car title loan company; and InstaLoan, which offers quickly approved loans to consumers with bad credit. Current and former consumers who have transacted business with any of these companies are affected by the breach.
According to a notice letter sent to victims, Canada-based TMX Finance detected “suspicious activity” on its systems on February 13 of this year and immediately retained “global forensic cybersecurity experts” to help investigate.
The company said that while its investigation confirmed that the earliest known breach of its systems began in early December 2022, consumer data may have been exfiltrated between February 3 and February 14, 2023.
In its notice dated March 30, TMX Finance stated that although its investigation is still in progress, it believes the “incident has been contained.” The company claims to have rolled out in the wake of the incident additional security measures, such as “additional endpoint protection and monitoring” and the resetting of all employee passwords.
Further, TMX Finance said that it has notified the FBI about the data breach but claimed that it did not delay sending notice to consumers “for any law enforcement investigation.”
What information was stolen?
According to TMX Finance, the information compromised in the incident may have included, but is not limited to, consumers’:
- Dates of birth;
- Social Security numbers;
- Passport numbers;
- Driver’s license numbers;
- Tax ID numbers;
- Federal/state ID card numbers;
- Financial account details;
- Phone numbers;
- Home addresses; and
- Email addresses.
The variety of data stolen would give scammers an opportunity to attempt identity fraud such as opening new lines of credit in the name of breached customers. It could also provide useful information with which to craft highly convincing phishing emails designed to harvest more financial details.
How did this happen?
The lawsuit alleges that TMX stored the above-listed data on its network in an unencrypted, internet-accessible format in violation of industry standards designed to protect consumer data against such a breach.
The suit not only alleges that the financial giant failed to prevent the incident but that it also waited more than three months after the breach before notifying impacted consumers and state attorneys general.
“As a result of this delayed response, Plaintiff and Class Members had no idea their [personally identifiable information] had been compromised, and that they were, and continue to be, at significant risk of identity theft and various other forms of personal, social, and financial harm, including the sharing and detrimental use of their sensitive information,” the complaint reads. “The risk will remain for their respective lifetimes.”
What is TMX doing to protect my identity?
The case notes that TMX has shared with neither victims nor regulators the “root cause” of the data breach, the particular system vulnerabilities exploited by the perpetrators, or the “remedial measures” taken by the company to ensure such an incident does not happen again.
The company has offered impacted consumers 12 months of complimentary credit monitoring and identity protection services through Experian IdentityWorks. To enroll in Experian IdentityWorks, head to ExperianIDWorks.com/credit and enter the activation code included in the data breach notice. Consumers must enroll in the program by July 31, 2023, after which the activation code will no longer work.
Other options available to consumers whose data was compromised include placing a fraud alert on their credit report and requesting a security freeze on their credit file.
The Class Action Lawsuit
The lawsuit looks to cover all individuals whose personally identifiable information was accessed and/or acquired in the data incident of which TMX Finance notified consumers on or around March 30, 2023.