High-cost lender TMX Finance and its affiliates TitleMax, TitleBucks, and InstaLoan have collectively disclosed a data breach affecting nearly five million customers, according to a data breach notification publicized by the Maine State Attorney General.  

TMX is a public financial services company that provides high-cost loans to individuals and primarily specializes in auto title loans. The business has more than 950 stores across 15 states in the United States.  

According to the notice, the company discovered a cyberattack on February 13, 2023, but further investigation revealed that hackers had breached the system in early December 2022, according to a sample breach notification letter sent to affected customers on Thursday.

"On March 1, 2023, the investigation confirmed that information may have been acquired between February 3, 2023 -- February 14, 2023," the letter stated.  

The hackers stole 4,822,580 customers' personal information, including their names, dates of birth, passport numbers, driver's license numbers, federal and state identification card numbers, tax identification numbers, social security numbers, and financial account information.  

"We promptly began a review of potentially affected files to determine what information may have been involved in this incident. We notified the FBI but have not delayed this notification for any law enforcement investigation," the company said.  

The company claims that the incident has been contained.  

SC Media has reached out to the TMX Finance for more information about attack and whether a ransom payment was made.  

As the company continues investigating the incident, it has offered customers 12-month complimentary credit monitoring and identity protection services. The company added that it has implemented additional security features, such as additional endpoint protection and monitoring, while resetting all employee passwords.