Money transfer app hit by major hack that exposed customer social security numbers and bank accounts

Money transfer service MoneyGram suffered a major hack that exposed its customers’ personal and financial information to cybercriminals.

Although the three-day breach began on September 20, 2024, the company has not provided an estimate of the number of affected victims nearly three weeks later.

However, MoneyGram boasts more than 150 million customers through its more than 430,000 locations across 200 countries and territories.

The hack revealed basic information such as customer names, their dates of birth and contact details including phone numbers, emails and postal addresses.

But the cyberattack also gave the unknown hacker(s) access to much more sensitive government-issued identification documents: scanned driver’s licenses, national identification numbers, and U.S. Social Security numbers.

Payment processors, private data brokers and big names in the tech sector have all reported massive data breaches this year, including a historic leak of US Social Security numbers and a hack that harvested data from 1.7 million consumer credit cards.

MoneyGram notified consumers on Monday of the latest findings on the case.

“On September 27, 2024, MoneyGram determined that, in connection with this matter, an unauthorized third party accessed and obtained personal information of certain consumers,” the company said in a statement to the press.

The payment transfer company confirmed it was working with “leading third-party cybersecurity experts” and coordinating with law enforcement.

The company also assured its customer base that only “a limited number of Social Security numbers” had been obtained.

But as a major payments player — whose services include traditional wire transfers and money orders, as well as app-based processing and cryptocurrency exchanges — MoneyGram holds vast amounts of private data.

“The types of information affected varied by affected consumer,” the company noted the update Monday.

“For a limited number of consumers,” MoneyGram said, the hackers may have accessed personal information about existing “criminal investigation information (such as fraud).”

The company did not indicate how many of these investigation files had been closed or were still active, nor how many of them ended with the client being found not guilty.

Copies of utility bills used to confirm customers’ identities, their bank account numbers, their MoneyGram Plus Rewards numbers and even data about individual transactions (such as dates and cash transfer amounts) were also exposed during the hack, the company reported.

“MoneyGram’s investigation is in the early stages,” the company said, promising that it was “working diligently to determine which consumers were affected by this issue.”

The hack was reportedly an example of “social engineering,” with one of the perpetrators posing as an employee seeking technical support from MoneyGram’s IT helpdesk, according to sources who spoke to the site. BleepingComputer.

The hack was reportedly an example of “social engineering,” with one of the perpetrators posing as an employee seeking help from MoneyGram’s IT helpdesk, according to a tech site.

While MoneyGram has not confirmed or shared any further details about the incident, it did note that the episode was not a ransomware attack, which involves freezing data via encryption and withholding it for a fee.

However, the company is still working to assess the full extent of private data “accessed and obtained” by the hackers and has “set up a dedicated call center” to request further information from affected customers.

MoneyGram said it will offer all its affected customers two years of free credit monitoring and identity protection services.

CrowdStrike, whose faulty update earlier this year shut down airlines and other companies worldwide, reportedly helped MoneyGram investigate the hack.