Money transfer giant MoneyGram has confirmed it suffered a data breach affecting highly sensitive customer data, including identification documents and bank account details.
US-owned MoneyGram is one of the more popular transfer vendors in Australia – sporting multiple locations in all states and territories and servicing some 150 million people across the globe.
Last month, the company suffered a cyber attack which saw both its website and app rocked by a week-long outage.
As the days stacked up and the company struggled to get back online, disgruntled customers took to social media platform X to voice their confusion.
“Why can’t I retrieve the money I sent to Mexico,” wrote one customer.
“It has been down for more than 3 days and my family cannot retrieve it.”
“We need a solution soon and to ensure that our personal and bank information is safe,” wrote another.
“We want our money back.”
While services were restored 26 September, MoneyGram kept silent for nearly a fortnight in the face of the hordes of customers concerned over their transactions and the safety of their data.
On 7 October, the company conceded it had suffered a data breach, and that an “unauthorised third party” accessed and acquired its customers’ information.
Personal data stolen
Between 20 September and 22 September, the hacker got their hands on personal details – such as names, phone numbers, emails and postal addresses – as well as dates of birth, ‘MoneyGram Plus Rewards’ numbers and transaction information relating to dates and amounts.
Most notably, the attacker accessed bank account numbers, utility bills, copies of “government-issued identification documents” such as drivers licences and, in some cases, information related to criminal investigations such as fraud.
“The types of impacted information varied by affected individual,” said MoneyGram.
“Upon detecting the issue, we took steps to contain and remediate it, including proactively taking certain systems offline, which temporarily impacted the availability of our services.
“Our systems are back online and we have resumed normal business operations.”
Unknown number of customers affected
MoneyGram did not confirm how many of its approximate 150 million customers may be impacted, however, the hacker was able to access “a limited number of social security numbers” in the US.
Furthermore, the company had already confirmed the data breach to the UK’s Information Commissioner’s Office as early as 27 September.
Information Age has contacted Australia’s data watchdog – the Office of the Australian Information Commissioner – to confirm whether MoneyGram has likewise reported a data breach which impacts Australian customers.
MoneyGram said it has arranged to offer affected US consumers identity protection and credit monitoring services for two years at no cost.
The company did not immediately respond to Information Age when asked how the attack occurred, though it has publicly stated its investigation into the issue is ongoing.
MoneyGram’s incident response measures also seem to be progressing as intended, with the company assuring it has been coordinating with law enforcement and recruiting the help of “leading external cyber security experts”.
“We recommend that you remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring your free credit reports,” said MoneyGram.
