Finance & Banking , Incident & Breach Response , Industry Specific

MoneyGram Money Transfer Firm Reports Customer Data Breach

Stolen Data Includes Social Security Numbers and Details of Criminal Investigations
MoneyGram Money Transfer Firm Reports Customer Data Breach
A MoneyGram exchange office in Mons, Belgium, on Sept. 16, 2018. (Image: Shutterstock)

MoneyGram Payment Systems, a money transfer system, said hackers who hit its infrastructure last month stole customer data.

See Also: Securing the Cloud for Financial Services

After detecting the attack on Sept. 23, Dallas-based MoneyGram took multiple systems offline. An outage affecting the company's services began Sept. 20, as detailed by numerous customers on social media. The company publicly confirmed the outage on the next day.

In a Monday update, the company said it brought in the intrusion response firm CrowdStrike to help with probe intrusion. MoneyGram subsequently restored systems and resumed "normal business operations" on Sept. 26.

Investigators on Sept. 27 found that from Sept. 20 to 22, attackers stole reams of customer data.

MoneyGram processes more than $200 billion in transactions annually in more than 200 countries. Results of a customer survey published by MoneyGram last month say that of those who use the service to send money abroad, nearly half do so to cover family food costs, while more than one-third send money to cover emergency expenses. More than one-third reported using the service to cover housing expenses.

While "the types of impacted information varied by affected individual," MoneyGram said the stolen information includes:

  • Customer names;
  • Contact details, including phone numbers, email and postal addresses;
  • Dates of birth;
  • Social Security numbers - to a "limited" extent;
  • Government identification document copies, such as driver's license scans;
  • Identity documents, such as utility bills;
  • Bank account numbers;
  • Transaction details, such as dates and amounts of transactions;
  • Reward program numbers;
  • Information tied to criminal investigations, for example, for fraud.

Customers this week continued to report outages in multiple countries, including the United Kingdom, although it's not clear if those might be tied to the hack attack.

MoneyGram said its investigation is continuing. It has yet to publicly quantify the number of affected consumers, or to detail the extent to which any information pertaining to non-U.S. customers may have been stolen.

An unnamed source with knowledge of the company's investigation told Bleeping Computer the intrusion appears to trace to a social engineering attack against MoneyGram's IT help desk, and does not involve ransomware. The social engineering ruse enabled the hacker "to access MoneyGram's network using an employee's credentials and target employee information in the company's Windows Active Directory Services," the publication reported.

Tactics Parallel Scattered Spider

While no attacker or group has claimed credit for the MoneyGram attack, such tactics parallel those used by the cybercrime group codenamed Scattered Spider by CrowdStrike, and also known as UNC3944, 0ktapus, Octo Tempest, Scatter Swine and Muddled Libra.

The group, largely comprised of Americans and Brits, calls itself "Star Fraud" and emerged in late 2022 as an offshoot of the cybercrime community that calls itself "The Community," aka the Com or Comm, from which Lapsus$ also sprung.

Scattered Spider has been tied to a number of rapidly executed, high-profile help desk social engineering and multifactor authentication bypass attacks.

Google's Mandiant incident response group reported in June that while the group initially "focused on credential harvesting and SIM swapping attacks in their operations, eventually migrating to ransomware and data theft extortion," they've since "shifted to primarily data theft extortion, without the use of ransomware."

Despite arrests of some alleged key members, the highly decentralized group appears to be carrying on (see: Spanish Police Bust Alleged Leader of Scattered Spider).

The group's more than 130 victims to date have included MGM Resorts, Clorox and potentially the cryptocurrency trading platform Coinbase Global.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.