Cyber Incident Victim: TMX Finance
Date:
Dec 2022
Location:
United States of America
Summary
A consumer finance company experienced a data breach impacting approximately 4.8 million individuals, compromising sensitive personal information including names, dates of birth, government-issued identification numbers, Social Security numbers, financial account details, contact information, and email addresses. The breach originated from unauthorized system access that began months prior to detection, with confirmed data exfiltration occurring over an 11-day period. The organization contained the incident, implemented enhanced endpoint security and password resets, notified law enforcement, and offered affected individuals complimentary identity protection services. Internal investigations confirmed the scope of compromised data while ongoing monitoring measures were established to prevent recurrence.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early December 2022, unauthorized actors breached the systems of TMX Finance and its subsidiaries TitleMax, TitleBucks, and InstaLoan, though the intrusion remained undetected until February 13, 2023. TMX initiated an investigation upon discovering suspicious system activity, which concluded on March 1, 2023, confirming that threat actors had acquired customer data between February 3 and February 14, 2023. The breach impacted 4,822,580 individuals across TMX’s lending operations, which include TitleMax’s 1,100 U.S. stores, TitleBucks’ car title loan services, and InstaLoan’s personal loan offerings for customers with poor credit. Exposed information encompassed full names, dates of birth, passport numbers, driver’s license details, federal or state identification card numbers, tax identification numbers, Social Security numbers, financial account information, phone numbers, physical addresses, and email addresses. TMX stated the breach originated in early December 2022 but provided no specifics on the initial intrusion vector or duration of undetected access prior to February 3.
Following containment of the incident, TMX implemented enhanced endpoint protection and monitoring across its systems while resetting all employee account passwords to prevent further unauthorized access through compromised credentials. The company notified affected customers via breach disclosure letters starting March 29, 2023, advising them to review credit reports and account statements for fraudulent activity. TMX offered impacted individuals a free 12-month enrollment in Experian’s identity protection services and provided instructions for initiating security freezes. The FBI was notified of the breach, though TMX proceeded with customer notifications without delaying for law enforcement investigations. No ransomware or data extortion demands were mentioned in the disclosure. The incident exposed highly sensitive personal and financial identifiers, significantly elevating risks of identity theft and financial fraud for nearly five million customers across TMX’s lending subsidiaries.