Money transfer service MoneyGram suffered a major attack that exposed its customers’ personal and financial information to cybercriminals.
While the three-day breach began on September 20, 2024, the company has not provided an estimate of the number of victims affected, almost three weeks later.
However, MoneyGram boasts more than 150 million customers across its more than 430,000 locations spanning 200 countries and territories.
The hack exposed basic information such as customer names, their dates of birth, and contact information including phone numbers, emails, and postal addresses.
But the cyberattack also gave the unknown hacker or hackers access to much more sensitive government-issued identification documents: scanned driver’s licenses, national identification numbers and U.S. Social Security numbers.
Above, neon signs for MoneyGram transfer services at a passport photo store in New York.
Payment processors, private data brokers and the biggest names in technology have reported massive data breaches this year, including a historic leak of US Social Security numbers and a hack that extracted data from 1 .7 million consumer credit cards.
MoneyGram alerted consumers to its latest findings in the case on Monday.
“On September 27, 2024, MoneyGram determined that in connection with this matter, an unauthorized third party accessed and acquired personal information of certain consumers,” the company said in a news release.
The payment transfer company said it was working with “leading external cybersecurity experts” and coordinating with authorities.
The company also assured its customer base that only “a limited number of Social Security numbers” had been obtained.
But as a legacy player in the payments space, whose services include traditional wire transfers and money orders, as well as app-based processing and cryptocurrency exchanges, MoneyGram possesses large amounts of private data.
“The types of information affected varied depending on the affected consumer,” the company said in your update on monday.
“For a limited number of consumers,” MoneyGram stated, hackers could have accessed personal information about any existing “criminal investigation information (such as fraud).”
The firm did not provide further details on how many of these investigative files were closed or still active, nor how many ended with the client’s innocent declaration.
Copies of utility bills used to confirm customers’ identities, their bank account numbers, their MoneyGram Plus Rewards numbers, and even data about individual transactions (such as dates and amounts of cash transfers) were also exposed during the attack. , the firm reported.
“MoneyGram’s investigation is in its early stages,” the company said, promising that it was “working diligently to determine which consumers were affected by this issue.”
The attack was reportedly an example of “social engineering,” in which one of the perpetrators posed as an employee seeking technical support from MoneyGram’s IT helpdesk, according to sources who spoke to the site. beepcomputer.
The attack was reportedly an example of “social engineering,” in which one of the perpetrators posed as an employee seeking help from MoneyGram’s IT help desk, a tech site said.
While MoneyGram has yet to confirm or share more details about the incident, it did note that the episode was not a ransomware attack, in which data is frozen using encryption and held for payment.
The company, however, is still working to assess the full extent of private data “accessed and acquired” by the hackers and has “established a dedicated call center” to request more information from affected customers.
MoneyGram said it will offer any of its affected customers two years of free credit monitoring and identity protection services.
CrowdStrike, whose faulty update shut down airlines and other businesses around the world earlier this year, has reportedly been assisting MoneyGram in its investigation of the hack.
