Subprime Lender TitleMax Hit With Hacking IncidentPersonal and - Potentially - Financial Data Exposed in 'Contained' Incident
The parent company of subprime lender TitleMax says hackers made off with the Social Security numbers and financial account information of up to nearly 5 million individuals.
TMX Finance Corporate Services also operates the brands TitleBucks and InstaLoan. It disclosed that hackers stole information over an 11-day period ending Feb. 14, although it tells affected customers that the hackers may have gained entry into its systems in early December.
The company notified the FBI and "believes the incident has been contained."
The breach exposed the names, birthdates, driver's license numbers and Social Security numbers of 4,822,580 people. The incident also exposed customers' financial account information. TMX brands have come under repeated federal scrutiny for their lending practices, which typically require a customer to put a car or motorcycle up as collateral. The Consumer Financial Protection Bureau fined TMX $9 million in 2016 and a further $10 million in February in an enforcement action that also required TMX to refund $5 million in fees to consumers.
The company advertises loans with reasonable interest rates but the true annual costs of borrowing add up to as high as 179%, a January investigation by ProPublica found. TMX did not immediately respond to a request for comment about the investigation or the data breach.
Even as it continues to probe the incident, the company says it has implemented additional endpoint protection and monitoring solutions and reset employee passwords, and it is offering a year's worth of credit monitoring and identity protection services to affected customers.