The debt collection company Financial Business and Consumer Solutions (FBCS) informed the Maine Attorney General about changes in its earlier reported breach with 1,955,385 individuals affected. Sadly, the new report submitted to the Maine Attorney General showed that the FBCS breach had 4,050,711 individuals confirmed to have been impacted, including 7, 786 residents in Maine. The number of affected individuals is still increasing, with the update at the end of July indicating that 4,253,394 individuals were impacted, including 7,841 residents in Maine.
The data breach was discovered on February 26, 2024, but it occurred on February 14, 2024. Third-party cybersecurity experts conducted a forensic investigation, which confirmed that the breach only affected the FBCS systems. The hackers got access to the systems for about two weeks. At that time, files with sensitive information were potentially viewed or stolen.
On April 26, 2024, FBCS sent the first notification to the Maine Attorney General concerning the breach, but the investigation did not end. With the continuation of the investigation, the number of affected individuals increased. The investigation is still not completed, so further notification may be issued to the Maine Attorney General.
FBCS offers services to clients in several industries and helps to restore consumer credit, student loans, auto loans and leases, unpaid medical invoices, and utility bills. At the beginning of June, in compliance with HIPAA, FBCS informed the HHS’ Office for Civil Rights that a breach affected 209,227 individuals. Since that time, three more notices have been sent to the Maine Attorney General, and it is currently unsure if the last notification is the last.
The types of data breached during the incident included names, birth dates, Social Security numbers and non-driver’s license ID card numbers, driver’s license numbers, bank account data, and medical data. FBCS stated it doesn’t know about any misuse of information. However, as a safety measure, free credit monitoring and identity restoration services were provided.
Many debt collection companies encountered cyberattacks that involved stolen data. Even with over 4.25 million stolen records, this incident is not the biggest data breach conducted by a debt collection agency. That unwanted data is sent to the American Medical Collection Agency, which experienced a cyberattack in 2021 that compromised the information of over 24 million people.