TMX Finance, parent company of TitleMax, TitleBucks, and InstaLoan logo
(image source: TMX Finance (topworkplaces.com), n.d.)
One-sentence summary:
TMX Finance, parent company of TitleMax, TitleBucks, and InstaLoan, data breach affects 4.8 million, resulting in three class-action lawsuits.
Who was involved?
TMX Finance, parent company of TitleMax, TitleBucks, and InstaLoan, 4,822,580 customers, and a threat actor.
What was the timeline?
December 10, 2022: Threat actors gain initial access to TMX Finance (Illman, 2023)
February 13, 2023: TMX Finance detects “suspicious activity”
March 1, 2023: TMX Finance discovers the breach (per Maine OAG report) (Illman, 2023)
March 30, 2023: TMX Finance begins consumer notification, however, says their investigation is “still in progress”
March 31, 2023: Class-action lawsuit is filed against TMX Finance in federal court in the Southern District of Georgia
What occurred?
In December 2022, TMX Finance suffered a data breach that went undetected for over two months and affected over 4.8 million customers (Illman, 2023; TMX Finance, 2023). Breached information included: “name, date of birth, passport number, driver’s license number, federal/state identification card number, tax identification number, social security number and/or financial account information, and other information such as phone number, address, and email address” (TMX Finance, 2023). A day after consumer notification, a class-action lawsuit was filed in the Southern District of Georgia (Kolstedt v. TMX Finance Corporate Services, Inc., 2023). Two additional class-action lawsuits have been filed in the same district (Justia, 2023a; Justia, 2023b).
Estimated costs:
Associated incident response costs, breach notification costs, “global forensic cybersecurity experts,” 12 months Experian IdentityWorks, litigation defense costs, 7-day-a-week call center
Involved laws:
State: Maine: 10 M.R.S.A. § 1346
Georgia: Georgia Deceptive Trade Practices Act (“Georgia DTPA”), Ga. Code Ann. § 10- 1-370(5) (Kolstedt v. TMX Finance Corporate Services, Inc., 2023, p. 38).
Root cause:
TBA or N/A (see disclaimer)
Lessons learned:
“endpoint protection and monitoring” (TMX Finance, 2023, p. 1).
Sources:
Illman, E. (2023). Data Breach Notifications. In Office of the Maine Attorney General. Retrieved April 9, 2023, from https://apps.web.maine.gov/online/aeviewer/ME/40/179ab0ce-2c43-4119-ae5a-db766d4be3e0.shtml
Justia. (2023a, April 4). Ross v. TMX Finance Corporate Services, Inc. et al. Justia Dockets & Filings. Retrieved April 9, 2023, from https://dockets.justia.com/docket/georgia/gasdce/4:2023cv00078/89592
Justia. (2023b, April 7). Carder v. TMX Finance Corporate Services, Inc. et al. Justia Dockets & Filings. Retrieved April 9, 2023, from https://dockets.justia.com/docket/georgia/gasdce/4:2023cv00088/89650
Kolstedt v. TMX Finance Corporate Services, Inc., Docket No. 4:23-cv-00076-WTM-CLR (S.D. Ga. 2023). https://www.classaction.org/media/kolstedt-v-tmx-finance-corporate-services-inc.pdf
TMX Finance. (2023). NOTICE OF DATA BREACH. In Data Breach Notifications. Office of the Maine Attorney General. Retrieved April 9, 2023, from https://apps.web.maine.gov/online/aeviewer/ME/40/179ab0ce-2c43-4119-ae5a-db766d4be3e0/10c498f9-1367-4030-bacc-e5698f177f13/document.html
TMX Finance (topworkplaces.com). (n.d.). SE88894_logo_orig.png. topworkplaces.com. https://content.energage.com/company-images/SE88894/SE88894_logo_orig.png
