Cyber Incident Victim: Receivables Performance Management
Date:
May 2021
Location:
United States of America
Summary
A ransomware attack compromised Receivables Performance Management's systems, exposing sensitive consumer data including names and Social Security numbers. The breach impacted over 3.7 million individuals after unauthorized access persisted for over a month before detection. The company disconnected affected systems, rebuilt servers, and engaged third-party cybersecurity experts to investigate the incident. Notification letters were distributed to affected parties approximately 18 months following initial discovery of the intrusion. The Washington-based accounts receivable firm specializes in debt collection services across multiple industries, maintaining significant consumer data through its operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 8, 2021, an unauthorized party first gained access to Receivables Performance Management LLC's computer systems. RPM detected anomalous activity on May 12, 2021, when portions of its network were inexplicably taken offline, prompting immediate containment measures including disconnecting all systems and initiating server rebuilds. The company engaged a third-party data security firm to investigate the incident, which was subsequently identified as a ransomware attack launched on the May detection date. Forensic analysis confirmed the threat actor maintained persistent access between the initial April intrusion and the May ransomware deployment. The investigation determined that files containing sensitive consumer information were accessible to the unauthorized actor during this period. RPM conducted a comprehensive review of affected files to identify compromised data elements and impacted individuals, a process that extended over 18 months following the attack.
On November 21, 2022, RPM reported the breach to the Maine Attorney General and issued notification letters to affected individuals, confirming the exposure of names and Social Security numbers. The company disclosed that over 3.7 million consumers were impacted by the breach, with compromised data varying per individual but consistently including these two identifiers. As an accounts receivable management firm handling collections for sectors including healthcare, retail finance, credit card services, auto finance, and utilities, RPM maintained extensive consumer data across its operational systems. The breach exposed vulnerabilities in RPM's network security despite its annual revenue of $47 million and workforce of 51 employees specializing in telemarketing, dunning notices, and portfolio recovery services. The incident created significant identity theft risks for victims while triggering legal scrutiny regarding RPM's data protection obligations to consumers whose information was processed without their direct awareness of the company's role in debt collection workflows.