Title Lender TMX Now Says Payment Card Data Stolen in Breach

The parent company of subprime lender TitleMax is warning nearly 5 million customers that a data breach affecting them is worse than it previously believed, and attackers also stole payment card data and card security codes.

See Also: Live Webinar | Unmasking Pegasus: Understand the Threat & Strengthen Your Digital Defense

Savannah, Georgia-based TMX Finance Corporate Services, which also operates the brands TitleBucks, InstaLoan and EquityAuto Loan, has more than 1,000 locations in 18 states.

On March 30, privately owned TMX warned 4,822,580 customers that hackers had stolen their personal details over a 12-day period in February. The company faces at least four proposed class-action lawsuits over the breach (see: Subprime Lender TitleMax Hit With Hacking Incident).

A revised data breach notification being sent to victims by TMX starting Wednesday states that beyond the raft of personal information that it previously stated had been stolen – including passport and Social Security numbers – attackers may have also stolen their “credit/debit card number in combination with security code, access code, password or PIN for the account.”

The title lender hasn’t said how it came by the new information. In many cases, such alerts come from payment card issuers tracking fraud that results from stolen payment card data back to its source.

The latest breach notification from TMX also revises the number of affected individuals upward, to 4,895,817. TMX previously reported detecting “suspicious activity on our systems” on Feb. 13. A third-party incident response firm called in to investigate found the intrusion appeared to have “started in early December 2022.”

TMX and its brands have come under repeated federal scrutiny for their title lending practices, which typically require a customer to put a car or motorcycle up as collateral. TMX advertises loans purporting to have reasonable interest rates, but the true annual costs of borrowing add up to as high as 179%, a January investigation by ProPublica found.

How attackers obtained customers’ payment card data isn’t clear. The Payment Card Industry’s Data Security Standard requires that all cardholder data be encrypted both in transit and at rest, should organizations opt to store it. TMX didn’t immediately respond to a request for comment.

As of June 30, the Identity Theft Resource Center ranked TMX’s breach as the eighth-largest known U.S. data breach for the first half of the year, based on the number of affected individuals.

Prior CFPB Scrutiny

The nation’s largest title lender may face questions about the breach from the Consumer Financial Protection Bureau, which says it expects to see “adequate measures to protect against data security incidents,” including the use of multifactor authentication as well as robust password management.

TMX already has a poor track record with the CFPB, which calls the company a “repeat offender” when it comes to violating lending and debt collection rules. The regulator fined TMX $9 million in 2016 for “abusive conduct.” Earlier this year, the CFPB levied a further $10 million fine for violating consumers’ rights, including by charging military families interest rates “nearly three times over the 36% annual interest rate cap,” and ordered it to refund $5 million in fees to consumers.

The company’s practices have also drawn the ire of state consumer protection groups. In July, ProPublica reported that Georgia residents who filed for bankruptcy were still being forced to repay TMX loans, especially via TitleMax, at the original terms. In 2017, in a case brought by TMX, a federal appeals court ruled that because the title lending industry operates under the pawn shop statutes in Georgia and Alabama, companies such as TMX “could sidestep the protections available to debtors in a Chapter 13 bankruptcy” and regularly did so, ProPublica reported.