MoneyGram says customer information stolen during September attack

MoneyGram confirmed on Monday night that customer information was stolen during a cyberattack last month that caused international outrage after customers could not send funds. 

The company posted a new message on its website that was first reported by TechCrunch. MoneyGram has refused to respond to requests for comment since the incident was confirmed on September 24, declining to explain whether the service outage was caused by a ransomware attack or something else. 

In the new message, the company explained that by September 27 it determined that “an unauthorized third party accessed and acquired personal information of certain consumers between September 20 and 22, 2024.”

MoneyGram did not respond to requests for comment about how many people are affected but said the stolen data included names, contact information, Social Security numbers and government-issued IDs — and in some cases, utility bills, bank account numbers and transaction information.  

And “for a limited number of consumers,” the affected data included “criminal investigation information (such as fraud).”

MoneyGram said it has sought the assistance of cybersecurity experts and has been working with law enforcement.

“Upon detecting the issue, we took steps to contain and remediate it, including proactively taking certain systems offline, which temporarily impacted the availability of our services,” the company said. 

MoneyGram’s systems were back to normal by September 26, but hundreds of customers descended on social media to complain about the outages. 

The company facilitates billions of dollars’ worth of remittances sent each year from the U.S. and Europe to the developing world. The incident prompted several governments to apologize to citizens for the outages on behalf of MoneyGram and warn of delays in receiving funds. More than $200 billion in transactions goes through the company each year in over 200 countries and territories.

MoneyGram said it would offer two years of identity protection and credit monitoring services to some customers affected by the breach — additionally urging customers to “remain vigilant” about scam attempts. 

BleepingComputer reported this weekend that it obtained an email MoneyGram sent to partners on September 25 that said it hired cybersecurity giant CrowdStrike to conduct an investigation and no evidence of ransomware was discovered. 

A source told the news outlet that MoneyGram was breached through a social engineering attack that targeted the company’s IT help desk — a tactic used successfully in attacks on Microsoft, MGM Casino and other large companies. 

A spokesperson for the U.K. government’s Information Commissioner’s Office told Recorded Future News that it has received a report from MoneyGram and “will be making enquiries.”