Money transfer service MoneyGram suffered a major hack that exposed its customers’ personal and financial information to cybercriminals.
While the three-day-long breach began on September 20, 2024, the firm has not provided an estimate for the number of victims impacted, nearly three weeks later.
MoneyGram does boast of having more than 150 million customers, however, via its over 430,000 locations which span 200 countries and territories.
The hack exposed basic information like customer names, their dates of birth and contact information, including phone numbers, emails and postal addresses.
But the cyberattack also gave the unknown hacker, or hackers, access to much more sensitive, government-issued identification documents: scanned driver’s licenses, national identification numbers and US Social Security numbers.
Above, neon signs for MoneyGram’s transfer services at a passport photo shop in New York
Payments processors, private data brokers and major names in tech have all reported massive data breaches this year — including a historic leak of US social security numbers and a hack that pulled data on 1.7 million consumer credit cards.
MoneyGram alerted consumers to its latest findings on the case Monday.
‘On September 27, 2024, MoneyGram determined that, in connection with this issue, an unauthorized third party accessed and acquired personal information of certain consumers,’ the company said in a statement to the press.
The payments transfer company affirmed that it was working with ‘leading external cybersecurity experts’ and coordinating with law enforcement.
The firm also assured its customer base that only ‘a limited number of Social Security numbers’ had been obtained.
But as a legacy player in the payments space — whose services include traditional wire transfers and money orders, as well as app-based processing and cryptocurrency exchanges — MoneyGram holds vast amounts of private data.
‘The types of impacted information varied by affected consumer,’ the company noted in its update Monday.
‘For a limited number of consumers,’ MoneyGram stated, personal information on any existing ‘criminal investigation information (such as fraud)’ might have been accessed by the hackers.
The firm did not elaborate on how many of these investigative files were closed or still active, nor how many ended with the customer being found innocent.
Copies of the utility bills used to confirm customers’ identities, their bank account numbers, their MoneyGram Plus Rewards numbers, and even data on individual transactions (such as dates and cash transfer amounts) were also exposed during the hack, the firm reported.
‘MoneyGram’s investigation is in its early stages,’ the company said, vowing that it was ‘working diligently to determine which consumers were affected by this issue.’
The hack was reportedly an example of ‘social engineering,’ in which one of the perpetrators impersonated an employee seeking tech support from MoneyGram’s IT help desk, according to sources who spoke to the site BleepingComputer.
The hack was reportedly an example of ‘social engineering,’ in which one of the perpetrators impersonated an employee seeking help from MoneyGram’s IT help desk, one tech site said
While MoneyGram has yet to confirm or share further details on the incident, it did note that the episode was not a ransomware attack, in which data is frozen via encryption and withheld for payment.
The company, however, is still working to assess the full extent of the private data ‘accessed and acquired’ by the hackers and has ‘set up a dedicated call center’ to solicit further information from impacted customers.
MoneyGram said it will be offering any of its affected customers two years of free credit monitoring and identity protection services.
CrowdStrike, whose faulty update shut down airlines and other businesses worldwide earlier this year, has reportedly been assisting MoneyGram in its investigating of the hack.
