Truist customers affected by February data breach of third party

Truist Financial Ahead Of Earnings Figures
Logan Cyrus/Bloomberg

Truist publicly disclosed last week that a February data breach at a third party that affected 4.2 million consumers included some bank customers. The data had been in the possession of debt collection agency Financial Business and Consumer Solutions, or FBCS.

Truist has not publicly disclosed how many of the 4.2 million victims were its own customers. Comcast also said last week that 230,000 of its customers were affected. Initial reports from FBCS indicated a smaller number of total victims, but it provided a supplemental filing in April to the Maine Attorney General, revising the total up from 3.2 million. 

In its letter to victims, Truist told customers that the type of information impacted varied per person but may include the consumer's name, address, date of birth, Social Security number and account number. It emphasized that FBCS' systems had been breached, not Truist's. The bank did not immediately respond to a request for comment.

Rather, Truist apparently provided the victims' information to FBCS as part of its debt collection procedures. The bank said in its letter that FBCS "provided services" to Truist, though it was unclear whether the bank still maintains a relationship with the firm.

An unauthorized party had access to FBCS' network from February 14 to February 26, according to the debt collector and Truist.

Scores of people have filed lawsuits against FBCS in federal court since the breach was disclosed, nearly all of which have been in the U.S. District Court for the Eastern District of Pennsylvania. In one case, a victim alleged that, despite FBCS allegedly claiming the security of clients' data is the company's "top priority" and that its staff "is trained on security policies" to keep its facilities and client data safe, these measures were inadequate to protect the victim's data from theft.

FBCS filed for chapter 7 bankruptcy relief on August 29, so the proceedings in the class action lawsuit against it are on hold.

Debt collection agencies have suffered large data breaches in the past, putting financially strained consumers at risk of identity theft. In 2022, Receivables Performance Management disclosed a breach that the company did not detect until 18 months after the breach actually occurred. In that case, 3.7 million consumers were affected. A settlement in that class action lawsuit is currently underway.

Organizations share data for a variety of reasons without clearly stating as much to consumers, so it is not always clear to the consumer when a breach might impact them, according to Erich Kron, security awareness advocate at security awareness training firm KnowBe4.

"In cases such as this, the information has been in the hands of bad actors for months before the victims even know they are at risk, limiting their ability to protect themselves during the time between the breach and the notification," Kron said.

Kron said this kind of breach is "often underestimated" by victims who believe the stakes are simply that their identity might get stolen. The reality is worse, he said; cybercriminals can easily pose as a collections agency using the specific and personal information stolen in the breach and con people directly out of their money.

"For those impacted by this breach, diligence and a healthy bit of skepticism should be used with any organization that calls or emails looking for money," Kron said. "People should be aware that this stolen information can be used to make contacts seem very legitimate and should certainly be on guard."

For reprint and licensing requests for this article, click here.
Cyber security Data security Technology
MORE FROM AMERICAN BANKER