Snow lingered outside the office building of Receivables Performance Management on Thursday, Dec. 1, 2022, in Lynnwood, Washington. (Olivia Vanni / The Herald)

Snow lingered outside the office building of Receivables Performance Management on Thursday, Dec. 1, 2022, in Lynnwood, Washington. (Olivia Vanni / The Herald)

Lynnwood data breach exposed sensitive info for 3.7 million across US

Lawsuits allege lax security at a debt collection agency led to the attack. It wasn’t announced for over a year.

LYNNWOOD — A security breach at a Lynnwood-based debt collection agency jeopardized sensitive personal information for more than 3 million people across the country last year.

And the company, Receivables Performance Management, failed to notify potential victims for over 18 months. It wasn’t until late last month the company sent notices alerting people their social security numbers and names may have been accessed.

The Lynnwood company now faces a slew of lawsuits in federal court in Seattle. The complaints allege the company violated state law due to an alleged lack of security and the delay in notifying people of the breach. The four plaintiffs are from Georgia, New Jersey, North Carolina and Pennsylvania. Several of them had fraudulent activity on their bank accounts before they were notified of the breach.

An attorney for the plaintiffs, Kaleigh Boyd of Seattle law firm Tousley Brain Stephens, declined to comment Wednesday.

Tom Loeser, a lawyer with Hagens Berman, also of Seattle, told The Daily Herald his firm has heard from several other people who received the notice. He has lots of questions as his firm investigates the ransomware attack.

“When did they learn about it?” Loeser said. “When did they get the ransom message? And why didn’t they tell people then? Were they working with the hackers to try to get the information back? Were they going to keep it close to their vests and not tell anybody until they thought they resolved it?”

Loeser, a former federal prosecutor in California who handled cyber crime cases, suggested those affected should freeze their accounts at all three of the credit bureaus. And if one pays for anything to protect their data, be sure to keep the receipts.

In the notice to those affected, the company advised people closely monitor “all mail, email, or other contact from individuals not known to you personally, and to avoid answering questions or providing additional information to such unknown individuals.”

The company and its lawyer didn’t immediately respond to a request for comment.

Many clients whose data was breached wouldn’t even know Receivables Performance Management had their personal information, Loeser said. It simply collects debt while working with companies in various sectors, including health care, banking and utilities.

The attack

On May 12, 2021, the company became aware of a “data security incident,” according to the notice sent Nov. 21, 2022.

Its investigation found the hackers first accessed the company’s server a month earlier, on April 8. The ransomware attack was launched in May, exposing personal information for 3,766,573 people.

The company immediately disconnected all of its electronic equipment and began restoring its systems, according to the notice.

In the notice, Receivables Performance Management’s CEO Howard George wrote that the company’s data review process lasted until early October of this year.

“Through this review process, RPM identified the presence of your personal information in the files that were reviewed, including Social Security number,” George wrote. “Please note that it is entirely possible that your specific personal information was not impacted as a result of the incident. RPM also obtained confirmation to the best of its ability that the information is no longer in the possession of the third party(ies) associated with this incident.”

The CEO wrote that the company “deeply regrets any concern this may have caused you.”

It’s unclear if the company paid a ransom to get the data back or where the sensitive information is now. And it’s unknown who got the data.

“I don’t know that there is a world of honest thieves out there,” Loeser said. “There is absolutely no guarantee that paying a ransom in a ransomware attack means that the hacker will all of the sudden be altruistic and choose not to sell all of the information they stole on the Dark Web. You have to remember that they stole the information to begin with.”

Receivables Performance Management offered a free yearlong subscription to a credit monitoring and identity theft protection service. The company encouraged clients to contact it at 877-237-5382 for more information.

Loeser said the yearlong protection is “grossly insufficient.” Sometimes, hackers will hold on to the information for years, wait until people have their guards down and then use it.

The lawsuits allege the Lynnwood company failed to “maintain an adequate data security system to reduce the risk of data breaches.” Loeser said the fact the hack happened at all shows its data security efforts weren’t enough.

The debt collection company’s privacy policy on its website states: “As financial services professionals entrusted with sensitive information, we respect the privacy of our clients, and the privacy of their customers. We are committed to treating customer’s information responsibly.”

It’s likely more lawsuits will be filed against Receivables Performance Management. Those would probably then be consolidated into one class-action case.

A spokesperson for the Federal Trade Commission declined to comment on whether the agency was investigating the attack. A spokesperson for the state Office of the Attorney General didn’t immediately respond to a request for comment.

This article has been updated that Loeser suggested freezing credit bureau accounts.

Jake Goldstein-Street: 425-339-3439;; Twitter: @GoldsteinStreet.

Talk to us

More in Local News

Logo for news use featuring the municipality of Mountlake Terrace in Snohomish County, Washington. 220118
Mountlake Terrace council taps planning commissioner for open seat

With five votes, Rory Paine-Donovan was affirmed to join the ranks of the Mountlake Terrace City Council.

CEO Amy King standing outside of a Pallet shelter. (Courtesy of Pallet)
After rapid rise, Everett’s Pallet hits milestone: 100 shelter villages

Temporary home manufacturer Pallet hires locals who have “experienced homelessness, substance abuse or the justice system.”

Locals from the group Safe Lynnwood gather in front of the Ryann Building on 196th Street SW to protest the opening of a methadone clinic in the building on Sunday, Jan. 22, 2023, in Lynnwood, Washington. (Ryan Berry / The Herald)
Despite controversy, Lynnwood opioid treatment center opens its doors

For weeks, protesters have objected to the center opening near Little League fields and a Boys and Girls Club.

A man was injured and a woman found dead Sunday night after an RV fire in Marysville. (Marysville Fire District)
Woman dead, man burned in Marysville RV fire

The Snohomish County Fire Marshal’s Office and Marysville Police Department were investigating the cause of the fire.

Ismael Cruz-Sanchez speaks at his sentencing at the Snohomish County Courthouse on Monday, Jan. 30, 2023 in Everett, Washington. (Olivia Vanni / The Herald)
Driver in fatal I-5 crash in Arlington gets 10 years

Ismael Cruz-Sanchez had a lengthy history with impaired driving. He pleaded guilty to killing Jason Vogan, 45.

Logo for news use featuring the municipality of Snohomish in Snohomish County, Washington. 220118
Boil water advisory in effect for 75 Snohomish homes

A water main break resulted in outages and possible contamination Sunday. Service was expected to return by Wednesday.

NO CAPTION NECESSARY: Logo for the Cornfield Report by Jerry Cornfield. 20200112
No right turns on red gets a look, a bid to expand sports betting arrives

It’s a new week. Here’s what’s happening on Day 22 of the 2023 session of the Washington Legislature

The final 747 is revealed during a celebration in Everett, Washington on Tuesday, Jan. 31, 2023. The plane was rolled out Dec. 6 from the Everett assembly factory and delivered to the customer, Atlas Air. (Annie Barker / The Herald)
‘Still jaw-dropping’: Last Boeing 747 takes the stage in Everett

Thousands, including actor John Travolta, gathered at Boeing’s Everett factory to bid goodbye to the “Queen of the Skies.”

Logo for news use, for stories regarding Washington state government — Olympia, the Legislature and state agencies. No caption necessary. 20220331
Lobbyist barred from WA Capitol after ruling he stalked representative

State Rep. Lauren Davis, D-Shoreline, obtained a domestic violence protective order against longtime lobbyist Cody Arledge.

Most Read