MoneyGram hack update: Breach included Social Security numbers, government documents, bank and other sensitive data

MoneyGram is back online after a cybersecurity breach disrupted services and compromised personal information. Between September 20 and 22, an “unauthorized third party” accessed and acquired the personal data of certain MoneyGram customers, the company said, leaving users unable to access their accounts.

The money-sending service provided an update this past Monday, confirming that systems are back online (although some customers on social media are still complaining about outages). But the investigation, which the company says involves external cybersecurity experts and law enforcement, is ongoing. Here’s what we know so far:

What information was exposed?

MoneyGram revealed that the compromised data includes:

• names
• contact information (phone numbers, emails, postal addresses)
• dates of birth
• national identification numbers
• a “limited” number of Social Security numbers
• copies of government-issued identification documents (such as driver’s licenses)
• other identification documents (such as utility bills)
• bank account numbers
• MoneyGram Plus Rewards numbers
• transaction information (such as dates and amounts of transactions)

A “limited number” of customers also had criminal investigation information, like fraud, exposed, MoneyGram said.

Importantly, MoneyGram also noted that the “types of impacted information varied by affected individual.”

The company is still determining which consumers were affected and has created a dedicated page (accessible via the homepage of its website) with FAQs and recommendations for protecting personal information. A call center is available for affected customers, offering support in both English and Spanish, Monday through Friday, from 8 a.m. to 8 p.m. CT.

When asked if MoneyGram plans to contact and inform impacted customers, MoneyGram referred Fast Company to its notice and FAQ page, which had no mention of how MoneyGram users are supposed to figure out if their data was compromised.

The page recommends that affected consumers in the United States enroll in complimentary identity protection and credit monitoring services, order a free credit report, and promptly report any unauthorized transactions.

Timeline of the Cybersecurity Breach

MoneyGram first reported service disruptions on social media over the weekend of September 21. The company stated that it had “recently identified a cybersecurity issue affecting certain systems” and had taken steps to resolve it, including taking systems offline to protect network integrity.

On September 26, after several days of social media updates, MoneyGram announced that its website and app were back online, allowing customers to send and receive money through its platforms once again.

A day later, the company determined that a data breach had occurred via an unauthorized third party.

MoneyGram serves more than 50 million people in over 200 countries and territories each year, processing more than $200 billion annually. In its latest consumer update this past Monday, MoneyGram said it “regrets any concern this issue may cause its consumers and takes its obligation to safeguard personal information very seriously.”