The recent data breach at debt collection agency Financial Business and Consumer Solutions (FBCS) was much larger than initially thought, the company has announced.
After initially reporting that 1.9 million people had died in the incident, the company now says the true number may be more than 4.2 million.
In late April 2024, it was reported that FBCS had been the victim of a cyberattack two months earlier. The company reported in a breach notification letter sent to affected customers that an anonymous threat actor had been in its IT systems for two weeks and had collected people’s full names, social security numbers, dates of birth, bank account information, driver’s license numbers and ID card numbers.
Use of the stolen files
However, the company has now issued a new supplemental notice to the Maine Attorney General’s Office, increasing the number of people affected to 4,253,394 people.
The company began warning the additional people about potential risks of phishing, identity theft, and online fraud. In addition, FBCS offers two years of free credit and identity theft monitoring through CyEx. The same type of information was stolen from all individuals.
It is still unknown who carried out the heist, as no hacking collective has claimed responsibility for the attack, and no one has found the database anywhere on the dark web. Typically, threat actors would contact victim organizations and attempt to extort money in exchange for removing the archives.
If that doesn’t work, they turn to the dark web, attempting to sell the archive to the highest bidder. Actively used email addresses, as well as personally identifiable information (PII), are valuable data that can be used in phishing or even ransomware attacks.
If no other options yield results, hackers can always leak the information online to increase their credibility in the cybercriminal community.
Through BleepingComputer