TMX Finance and its subsidiaries TitleMax, TitleBucks and InstaLoan collectively disclosed a data breach that exposed the personal data of 4,822,580 customers.

TMX is a public financial service that operates equity, fixed income, derivatives and energy markets exchanges, with commercial presence in the United States, Canada, United Kingdom, Australia and in China.

TitleMax is a lending company operating 1,100 stores in the United States, TitleBucks is a car title lending service, and InstaLoan is a fast-approval personal loan service for people with bad credit.

In a data breach notification letter sent yesterday to those affected, the Canadian financial giant informs that hackers hacked into its systems in early December 2022 but did not detect the breach until February 13, 2023.

After completing the internal investigation on March 1, 2023, TMX discovered that network intruders stole customer information between February 3 and February 14, 2023.

“On February 13, 2023, we detected suspicious activity on our systems and quickly took action to investigate the incident,” reads the data breach notice.

“Based on the investigation to date, the first known breach of TMX’s systems began in early December 2022.”

“On March 1, 2023, the investigation confirmed that information may have been acquired between February 3, 2023 and February 14, 2023.”

TMX says the following customer data was exposed in the breach:

• Full name
• Date of birth
• Passport number
• Driver’s license number
• Federal/State ID Number
• Tax Identification Number
• Social Security number
• Financial account information
• Phone number
• Physical address
• E-mail address

TMX believes the security incident has now been brought under control, but continues to monitor its systems for suspicious activity.

Additionally, the company implemented endpoint protection and monitoring and reset all employee account passwords to block access through potentially compromised internal accounts.

The company’s data breach notice also contains instructions for individuals to sign up for a free 12-month identity protection service through Experian and request a security freeze.

TMX says it notified the FBI of the security incident, but did not withhold distribution of the notice to affected customers to allow law enforcement to investigate.

“We encourage you to remain vigilant against potential identity theft and fraud by carefully reviewing credit reports and account statements to ensure that all activity is valid,” the letter concludes.