Product leasing giant warns that sensitive information was stolen during cyberattack

Progressive Leasing, a billion-dollar company that allows people to lease consumer products, announced a cyberattack last week.

In a statement to Recorded Future News, the company said it has seen no “major” operational impacts to its services as a result of the attack but noted that it is still investigating what happened.

“Progressive Leasing recently experienced a cybersecurity incident affecting certain Progressive Leasing systems. Promptly after detecting the incident, we engaged leading third-party cybersecurity experts and launched an investigation,” a spokesperson said.

“Our team is working diligently alongside our cybersecurity experts and with law enforcement to investigate and respond to this incident … The investigation into the incident, including identification of the data involved, remains ongoing.”

The Salt Lake City-based company has dozens of partnerships with major retailers like Best Buy, Samsung, Cricket, Lowe's, Zales, Overstock, Dell and more. They are one of the biggest lease-to-own companies in operation and are part of a larger corporation — PROG Holdings — that offers “buy now, pay later” options.

On Thursday, the corporation reported the cyberattack to regulators at the SEC, writing that it “believes the involved data contained a substantial amount of personally identifiable information, including social security numbers, of Progressive Leasing’s customers and other individuals.”

“Progressive Leasing will provide notice to those individuals whose personally identifiable information was involved in the incident, as well as to regulatory authorities, in accordance with applicable laws,” it said.

“The Company has incurred, and may continue to incur, significant expenses to respond to, remediate and investigate this matter. The full scope of the costs and related impacts of this incident, including the extent to which these costs will be offset by the Company’s cybersecurity insurance, has not been determined.”

The company’s chief financial officer added that they do not expect there to be a financial fallout from the attack as a result of limited operations — unlike cleaning giant Clorox, which reported to the SEC last week that it was facing production issues after a cyberattack.

Cybersecurity expert Dominic Alvieri said the AlphV/Black Cat ransomware gang took credit for the attack on Friday, adding the company to its leak site and claiming to have stolen the personal information of more than 40 million customers.

The ransomware gang caused international headlines last week with its attack on MGM Resorts — an incident that is still causing widespread problems across Las Vegas.