Debt collection agency Financial Business and Consumer Solutions recently said that a February data breach it disclosed in April has affected more people than previously known, with the latest victim tally reaching 3,226,631.
The disclosure came in the form of
According to
The breached data may also include addresses, driver's license numbers, other state identification numbers, medical claims information, provider information, clinical information (including diagnoses and conditions, medications and other treatment information) and health insurance information.
FBCS did not immediately respond to a request for comment.
It is unclear who is behind the intrusion that precipitated the data breach, whether they demanded a ransom from FBCS and, if so, whether the company paid the ransom. No cybercriminal group has publicly claimed responsibility for the breach.
FBCS said it discovered unauthorized access to systems in its network on February 26 and determined that the unauthorized access had started on February 14. FBCS began sending notifications to breach victims two months later, on April 26.
The company has not explained the two-month delay between identifying the breach and sending notifications to customers. State laws require various timelines for notifying affected consumers about a data breach that affected them. Maine has one of the shortest timelines, requiring companies that experience a data breach to notify affected customers within 30 days of the company becoming aware of the breach and identifying its scope.
Several federal agencies have recently stepped up requirements on banks to notify regulators and the public when they fall victim to cybersecurity incidents.
Most states allow for delays to these notifications in cases where a law enforcement agency determines that notification would compromise a criminal investigation. However, FBCS said its notifications were "not delayed as a result of a law enforcement investigation."
At least 14 people have filed lawsuits against FBCS in federal court since the breach was disclosed, all of which have been in the U.S. District Court for the Eastern District of Pennsylvania. In one example, a victim alleges that, despite FBCS allegedly claiming the security of clients' data is the company's "top priority" and that its staff "is trained on security policies" to keep its facilities and client data safe, these measures were inadequate to protect the victim's data from theft.
FBCS has not yet responded to these allegations.
Debt collection agencies have suffered large data breaches in the past, putting financially strained consumers at risk of identity theft.
Public information is not available regarding banks, credit card companies or other debt issuers who sell debt to FBCS. FBCS says it provides debt collection services on consumer credit accounts including credit cards, retail cards, consumer loans, student loans and deposit draft accounts. The company also collects health care, commercial, auto and utilities debts.
Debt collection agencies tend to handle a lot of sensitive information about individuals, making them a great target for cybercriminals hoping to make some money through the illicit sales of the data, according to Erich Kron, security awareness advocate at KnowBe4, which provides training to companies seeking to inoculate their employees against social engineering attacks.
In the case of RPM, the debt collector claimed it had obtained confirmation that the stolen information was no longer in the possession of the third parties associated with the incident. In the case of FBCS, the debt collector said it has "no evidence of the misuse of any individuals' personal information." In both cases, victims allege that there is no way to guarantee their stolen information will not be misused in the future, after their complimentary identity theft protection expires.
"Although FBCS is offering a free year of credit monitoring services to the victims, because they can't change their birth date or Social Security number as easily as they can a compromised password or a credit card number, the information taken by the bad actors will have lifelong implications for the victims," Kron said.