.svg)
As US payment platform MoneyGram assesses the damage from a major hack of customer information, Vixio hears from sources that lack of encryption was to blame.
Last week, MoneyGram provided an update on the fallout of a major cyber attack that took place last month, and that led to a serious breach of customer information.
Between September 20 and 22, the remittance company said that an “unauthorised third party” accessed and acquired personal information of certain consumers.
Though MoneyGram could not yet confirm which customers were affected, it did confirm what types of information were affected.
These included names, contact information (such as phone numbers, email and postal addresses), dates of birth, national ID numbers and a “limited” number of US social security numbers.
Copies of government-issued ID documents (such as driver's licences) were also compromised, as were other ID documents (including utility bills) and bank account numbers.
Finally, some transaction information (such as dates and amounts) was compromised, as was some information pertaining to criminal investigations (such as fraud cases).
“MoneyGram regrets any concern this issue may cause its consumers and takes its obligation to safeguard personal information very seriously,” the remittance provider said.
“The company will continue to work hard to support consumers and deliver the services they expect from MoneyGram.”
Upon detecting the issue, MoneyGram took steps to contain and remediate it, including proactively taking certain systems offline, which temporarily impacted the availability of its services.
All of MoneyGram’s systems are now back online and the company has resumed normal business operations.
It has also launched an investigation with assistance from external cybersecurity experts, and has been coordinating with law enforcement.
Impact ‘downplayed’
Vixio heard from two sources who are familiar with the situation internally, and who said that the impact of the cyber attack is being “downplayed”.
The sources, who wished not to be named, said the wide range of customer information compromised was an easy target because it was not encrypted.
Moreover, the data of all customers sat within a single database, so access to this database granted the attackers access to all customers and all types of customer information.
One source said the impact of the attack is already “crazy”, given the exposure of passport numbers and social security numbers.
He added that the lack of encryption could be in breach of Payment Card Industry Data Security Standard (PCI DSS) rules.
MoneyGram did not respond to these allegations when contacted by Vixio.
MoneyGram offering free ID theft protection
Where available, MoneyGram is now offering affected consumers two years of identity monitoring protection from Experian IdentityWorks free of charge.
The service monitors websites, chat rooms and bulletin boards 24/7 to identify trading or selling of personal information on the dark web, and it prompts the user if it detects any suspicious activity.
It also offers up to $1m in identity theft insurance, which covers stolen funds linked to unauthorised transactions, lost wages and other forms of theft.
In cases of cyber attacks where customer information is compromised, an offer of free protection from an identity fraud monitor is becoming something of an unwritten standard.
In August this year, following a data breach that affected 30,210 Bank of America customers, EY offered those affected two years of free coverage with Experian IdentityWorks.
In April this year, following a breach that affected 451,000 retirement plan participants, J.P. Morgan Chase also offered the same to its affected customers.
