A total of 4,822,580 customers had their personal data exposed in a data breach, as disclosed by TMX Finance and its subsidiaries, including TitleMax, TitleBucks, and InstaLoan.

First reported by BleepingComputer, the Canadian finance giant has notified affected individuals in a letter regarding a data breach, revealing that its systems were breached by hackers in early December 2022.

However, the breach went undetected until February 13th, 2023.

Following an internal investigation that concluded on March 1st, 2023, TMX discovered that client information had been stolen by the network intruders between February 3rd and 14th, 2023.

The data breach notice states, “On February 13, 2023, we detected suspicious activity on our systems and promptly took steps to investigate the incident.”

The notice also reveals that “Based on the investigation to date, the earliest known breach of TMX’s systems started in early December 2022.”

Additionally, “On March 1, 2023, the investigation confirmed that information may have been acquired between February 3, 2023 – February 14, 2023.”

TMX has stated that it believes the security incident to be contained but will continue to monitor its systems for any further suspicious activity.

However, the personal information of affected customers was extensively exposed in the data breach, including their full names, date of birth, passport numbers, driver’s license numbers, federal/state identification card numbers, tax identification numbers, Social Security numbers, financial account information, phone numbers, physical addresses, and email addresses.

This level of personal information can lead to identity theft, and as a result, customers of TitleMax, TitleBucks, and InstaLoan should exercise caution and remain vigilant.

TMX is currently conducting an ongoing investigation into the incident and has offered affected customers a 12-month complimentary credit monitoring and identity protection service.

The company has also implemented further security measures, including additional endpoint protection and monitoring, as well as resetting all employee passwords.

According to TMX, it informed the FBI about the security incident, but it did not hold back the distribution of the notice to impacted customers to allow law enforcement to investigate.

The company has encouraged customers to stay alert against potential identity theft and fraud by carefully reviewing credit reports and account statements to ensure that all activity is legitimate.