Consumer Loans Firm TMX Reveals Major Data Breach

US consumer lending firm TMX Finance has revealed a serious breach of customer data which it first discovered nearly three months ago.

The Savannah, Georgia-headquartered business said in a breach notification letter filed with the Office of the Maine Attorney General that the breach likely began in early December 2022. However, the firm did not discover it until February 13 2023.

“On March 1 2023, the investigation confirmed that information may have been acquired between February 3 2023 and February 14 2023. We promptly began a review of potentially affected files to determine what information may have been involved in this incident. We notified the FBI but have not delayed this notification for any law enforcement investigation,” the statement noted.

“The personal information involved may have included your name, date of birth, passport number, driver’s license number, federal/state identification card number, tax identification number, social security number and/or financial account information, and other information such as phone number, address and email address.”

Read more on data breaches: Latitude Financial Admits Breach Impacted Millions.

TMX Finance claimed that the incident is now contained, that it has reset all employee passwords and that it has enhanced its defensive security posture with additional endpoint protection and monitoring.

The lender is offering affected customers free credit monitoring and identity protection from Experian for 12 months but urged them to regularly check account statements for any unusual activity.

The variety of data stolen would give scammers an opportunity to attempt identity fraud such as opening new lines of credit in the name of breached customers. It could also provide useful information with which to craft highly convincing phishing emails designed to harvest more financial details.

The billion dollar-revenue company runs three major brands: TitleMax, TitleBucks and InstaLoan across around 1000 locations in the US.

According to the letter, over 4.8 million customers were impacted.

Editorial image credit: Lutsenko_Oleksandr /

What’s Hot on Infosecurity Magazine?