MoneyGram now says customer data has been affected by a security incident
MoneyGram has confirmed that it has lost sensitive customer data in the recent cyber attack on its business.
In a data breach notification letter sent to affected customers and published on the company’s website, hackers gained access to MoneyGram’s networks for two days between September 20 and 22.
During that time, they exfiltrated people’s names, phone numbers, email addresses, postal addresses, dates of birth, Social Security numbers, copies of government-issued documents (e.g. driver’s licenses), various identification documents (utility bills and the like). , bank account numbers, MoneyGram Plus Rewards numbers, transaction data (dates, amounts and more), and criminal investigation information (such as fraud).
No ransomware attack
That’s more than enough for phishing, identity theft and even wire fraud. At this time we do not know how many people were affected by this incident, but we do know that the type of information stolen varies from person to person.
MoneyGram is a global money transfer and payment services company that allows individuals and businesses to send and receive money internationally. It offers services including peer-to-peer money transfers, bill payments and money orders, with operations in more than 200 countries and territories.
On September 20, customers took to social media (X, Facebook, Reddit) to complain about services not working properly, the website being offline, and other concerns. Three days later, the company responded to the claims, saying it was dealing with a network outage, and later confirmed it was dealing with a “cybersecurity issue.” In response to this issue, MoneyGram has shut down parts of its IT systems, including both online and in-person transactions.
This led the media and customers to speculate that MoneyGram had suffered a ransomware attack, even though no threat actors have claimed responsibility. However, days later the company sent a letter to its stakeholders to confirm that this was not the case.
