Cyber Incident Victim: Progressive Leasing
Date:
Sep 2023
Location:
United States of America
Summary
Progressive Leasing experienced a cybersecurity incident involving an external system breach that compromised sensitive personal information, including Social Security Numbers, affecting hundreds of thousands of individuals. The AlphV/Black Cat ransomware gang claimed responsibility, alleging theft of data from millions of customers, though the company confirmed a substantial amount of personally identifiable information was involved. The breach prompted engagement with third-party cybersecurity experts, law enforcement, and regulatory notifications, with significant expenses incurred for investigation and remediation, potentially offset by cybersecurity insurance. Identity theft protection services, including credit monitoring, were offered to affected individuals.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Progressive Leasing, a Utah-based financial services subsidiary of PROG Holdings specializing in lease-to-own consumer product financing, experienced a cybersecurity incident involving unauthorized access to its systems. The breach occurred on September 9, 2023, with discovery confirmed by the company two days later on September 11. According to regulatory filings submitted to the SEC and Maine's Attorney General, the incident constituted an external system breach attributed to hacking activity. Investigative findings determined that attackers exfiltrated sensitive personally identifiable information, specifically names combined with Social Security Numbers, affecting 193,055 individuals nationwide including 488 Maine residents. Progressive Leasing engaged third-party cybersecurity forensic experts immediately upon detection and coordinated with law enforcement agencies to investigate the intrusion. The company initiated written notifications to affected individuals on October 23, 2023, accompanied by offers for 12 months of complimentary credit monitoring and identity theft protection services through Experian Identity Works.
The AlphV/Black Cat ransomware group claimed responsibility for the attack on September 15, 2023, listing Progressive Leasing on its data leak site and alleging theft of personal data belonging to over 40 million customers, though this figure remains unverified by the company. Progressive Leasing's parent corporation, PROG Holdings, disclosed in its SEC filing that the compromised data contained a substantial volume of customer PII but emphasized no material operational disruptions occurred across its retail partnerships with entities like Best Buy, Lowe's, and Samsung. Financial disclosures indicated significant incident response and remediation costs had been incurred, with potential future expenses remaining undetermined pending completion of the investigation. The company noted uncertainty regarding cost recovery through cybersecurity insurance policies. Unlike contemporaneous attacks affecting other corporations such as MGM Resorts and Clorox, Progressive Leasing maintained business continuity without production halts or service degradation. The investigation into the full scope of compromised systems, exact data exfiltration methods, and final attribution remained active at the time of regulatory reporting.