If You Got a TitleMax Data Breach Notice, Here’s What You Need to Know

TMX Finance Corporate Services, the parent company of lenders TitleMax, TitleBucks and InstaLoan, has warned consumers that it suffered a significant data breach in which the sensitive information of nearly 5 million people was stolen.

All told, personal and financial information belonging to 4,822,580 consumers, including current and former TitleMax, TitleBucks and InstaLoan customers, is believed to have been compromised in the incident, which was first disclosed by TMX Finance late last week.

Read on to learn what you need to know about the situation, what data was stolen, the resulting legal action against TitleMax, and what you can do to protect yourself and your information going forward.

What happened?

According to a notice letter sent to victims, Canada-based TMX Finance detected “suspicious activity” on its systems on February 13 of this year and immediately retained “global forensic cybersecurity experts” to help investigate.

The company said that while its investigation confirmed that the earliest known breach of its systems began in early December 2022, consumer data may have been exfiltrated between February 3 and February 14, 2023.

In its notice dated March 30, TMX Finance stated that although its investigation is still in progress, it believes the “incident has been contained.” The company claims to have rolled out in the wake of the incident additional security measures, such as “additional endpoint protection and monitoring” and the resetting of all employee passwords.

Further, TMX Finance said that it has notified the FBI about the data breach but claimed that it did not delay sending notice to consumers “for any law enforcement investigation.”

What information was stolen in the TitleMax data breach?

According to TMX Finance, the information compromised in the incident may have included, but is not limited to, consumers’:

A lawsuit filed against TMX in the wake of the breach (more on this below) alleges the company stored the above-listed data on its network in an unencrypted, internet-accessible format.

A class action lawsuit was filed?

Yes, a proposed class action was filed in Georgia federal court against TMX Finance Corporate Services, Inc. on March 31, 2023.

The 51-page case alleges consumers’ data was stolen as a result of “negligent and/or careless acts and omissions” on the part of TMX Finance, whose subsidiaries include TitleMax, a lender with 1,100 locations nationwide; TitleBucks, a car title loan company; and InstaLoan, which offers quickly approved loans to consumers with bad credit.

The suit chides the financial giant not only for its apparent failure to prevent the incident but for waiting more than three months after the breach occurred before notifying impacted consumers and state attorneys general.

“As a result of this delayed response, Plaintiff and Class Members had no idea their [personally identifiable information] had been compromised, and that they were, and continue to be, at significant risk of identity theft and various other forms of personal, social, and financial harm, including the sharing and detrimental use of their sensitive information,” the complaint reads. “The risk will remain for their respective lifetimes.”

The case notes that TMX has shared with neither victims nor regulators the “root cause” of the data breach, the particular system vulnerabilities exploited by the perpetrators, or the “remedial measures” taken by the company to ensure such an incident does not happen again.

The lawsuit looks to cover all individuals whose personally identifiable information was accessed and/or acquired in the data incident of which TMX Finance notified consumers on or around March 30, 2023.

Other attorneys are pursuing a mass arbitration strategy on behalf of consumers whose information was exposed in the TitleMax data breach. (More on that below).

How do I get involved in the mass arbitration?

If you would like to participate in the mass arbitration, you must affirmatively join that action. You can read more about what that entails and how to get involved over on our dedicated page.

How do I join the lawsuit?

There’s nothing you need to do to join a proposed class action case when it’s first filed. It’s only if and when a case settles that the consumers covered by the suit would need to act. This typically involves filling out and filing a claim form online or by mail.

What can I do to protect myself?

TMX Finance urges victims of the TitleMax data breach to “remain vigilant against potential identity theft and fraud” by carefully keeping an eye on their credit reports and account statements to ensure that all activity is legitimate. Consumers should report any questionable activity directly to the bank or card provider with whom the account is maintained.

Questionable activity should also be promptly reported to the major credit reporting bureaus, law enforcement, your state attorney general and/or the Federal Trade Commission. Contact information for Equifax, Experian and TransUnion can be found on page two of the TMX Finance data breach notice.

The company has offered impacted consumers 12 months of complimentary credit monitoring and identity protection services through Experian IdentityWorks. To enroll in Experian IdentityWorks, head to ExperianIDWorks.com/credit and enter the activation code included in the data breach notice.

Consumers must enroll in the program by July 31, 2023, after which the activation code will no longer work.

Other options available to a consumer whose data was compromised include placing a fraud alert on their credit report and requesting a security freeze on their credit file.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.