Nearly 5 million people affected by cyberattack on high-cost lender TMX Finance

High-cost lender TMX Finance has contacted the FBI about a cyberattack on its systems that leaked the Social Security numbers of nearly five million people, according to documents filed with state regulators in Maine.

TMX Finance is the parent company of TitleMax, TitleBucks, and InstaLoan – three popular services offering high-cost loans to people who typically do not have access to traditional sources of credit.

The company said it first detected the cyberattack on February 13 and eventually hired cybersecurity experts who said the hackers gained access to TMX systems in early December 2022.

“On March 1, 2023, the investigation confirmed that information may have been acquired between February 3, 2023 – February 14, 2023,” the company said.

“We promptly began a review of potentially affected files to determine what information may have been involved in this incident. We notified the FBI but have not delayed this notification for any law enforcement investigation.”

The hackers stole the names, dates of birth, passport numbers, driver’s license numbers, federal/state identification card numbers, tax identification numbers, Social Security numbers and financial account information of 4,822,580 people.

TMX said it is still investigating the incident but is offering victims 12 months of credit monitoring and identity protection services through Experian IdentityWorksSM.

The company did not respond to requests for comment about what kind of cyberattack they faced or whether a ransom was issued.

TMX Finance has faced dozens of lawsuits and frequent backlash for its business model – which resemble the kind of payday loans considered by many to be predatory.

Several of its businesses allow people to use their car title as collateral for small loans, giving customers one month to pay the loan back before being hit with exorbitant interest rates that at times can reach an annual rate as high as 310%. Thousands of people have reported having their car confiscated when they could not pay back the loans.

In February, the Consumer Financial Protection Bureau ordered TMX Finance to pay more than $5 million in consumer relief and a $10 million civil money penalty for violating the Military Lending Act by extending prohibited title loans to military families and, oftentimes, by charging nearly three times over the 36% annual interest rate cap.

Several states have passed laws banning their practices but that has had little effect on their business, which is now available at 900 stores in over 14 states.

TMX’s announcement came about one week after debt-buying giant NCB Management Services said nearly 500,000 people had their Social Security numbers and significant financial data leaked during a cyberattack in February.

Last year, a ransomware attack on a medical debt collection company leaked sensitive information from 657 healthcare organizations.