US money transfer giant MoneyGram has confirmed to customers that their personal information (PII) may have been stolen in a data breach incident.
The firm posted a notice on its website yesterday following several days of speculation as to what had happened.
It claimed that it discovered evidence of the breach on September 27, after an “unauthorized third party” was able to access the PII of an unknown number of customers between September 20 and 22.
“The impacted information included certain affected consumer names, contact information (such as phone numbers, email and postal addresses), dates of birth, a limited number of Social Security numbers, copies of government-issued identification documents (such as driver’s licenses), other identification documents (such as utility bills), bank account numbers, MoneyGram Plus Rewards numbers, transaction information (such as dates and amounts of transactions) and, for a limited number of consumers, criminal investigation information (such as fraud),” the notice read.
“The types of impacted information varied by affected individual.”
Read more on money transfer fraud: DoJ Distributes $18.5m to Western Union Fraud Victims
The firm said it proactively took some systems offline after discovering the incident, which temporarily impacted service availability.
This tallies with a post to X (formerly Twitter) on September 23, in which it cited discovery of “a cybersecurity issue.” Presumably at that point, MoneyGram had not determined whether data had been stolen.
MoneyGram recently identified a cybersecurity issue affecting certain of our systems. Upon detection, we immediately launched an investigation and took protective steps to address it, including proactively taking systems offline which impacted network connectivity. We are…
— MoneyGram (@MoneyGram) September 23, 2024
The world’s second-largest money transfer business has claimed that this wasn’t a ransomware attack, although it does bear some of the hallmarks of an extortion attempt.
What is clear is that, given the extent and type of PII stolen, some customers may face a torrid time mitigating the after-effects of the breach. The information could be used to craft convincing follow-on phishing attacks or in identity fraud attempts.
MoneyGram said it is offering impacted US customers identity protection and credit monitoring services for two years free of charge.
“We recommend that you remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring your free credit reports,” it said.
Last year, 40,000 victims of fraud schemes that used MoneyGram received $115m in compensation forfeited by the company in 2018 as part of a deferred prosecution agreement (DPA).
Image credit: Robson90 / Shutterstock.com