It seems that the data breach at the debt collection agency Financial Business and Consumer Solutions (FBCS) was a lot bigger than initially thought.
After first reporting some 1.9 million victims, the company now says that more than 4.2 million were actually affected.
In late April, it was reported that FBCS suffered a cyberattack two months prior, losing sensitive customer data.
Using the stolen files
In a breach notification letter sent to affected customers in February 2024, FBCS said that an unnamed threat actor dwelled in its IT systems for two weeks, harvesting people’s full names, social security numbers (SSN), birth dates, account information, driver’s license numbers, and ID card numbers. All affected individuals are U.S. citizens.
Now, last week the company issued a new supplemental notice with the Office of the Maine Attorney General, BleepingComputer reports. This new notice increases the number of affected people to 4,253,394 individuals. The company started notifying the additional people, warning them of potential risks of phishing, identity theft, and online fraud. Furthermore, FBCS is offering two years of free credit and identity theft monitoring via CyEx. The same type of information was stolen on all individuals.
It is still unknown who pulled off the heist, since no hacking collectives assumed responsibility for the attack, nor did anyone find the database leaking anywhere on the dark web. Usually, threat actors would reach out to victim organizations and try to extort money, in exchange for deleting the archives.
If that fails, they would turn to the dark web, in an attempt to sell the archive to the highest bidder. Actively used email addresses, as well as personally identifiable information (PII), is valuable data that can be used in phishing, or even ransomware attacks.
Ultimately, if no other options bear fruit, the hackers can always leak it online to improve their credibility in the cybercriminal community.