Snow lingered outside the office building of Receivables Performance Management on Thursday, Dec. 1, 2022, in Lynnwood, Washington. (Olivia Vanni / The Herald)

Snow lingered outside the office building of Receivables Performance Management on Thursday, Dec. 1, 2022, in Lynnwood, Washington. (Olivia Vanni / The Herald)

Lynnwood data breach exposed sensitive info for 3.7 million across US

Lawsuits allege lax security at a debt collection agency led to the attack. It wasn’t announced for over a year.

LYNNWOOD — A security breach at a Lynnwood-based debt collection agency jeopardized sensitive personal information for more than 3 million people across the country last year.

And the company, Receivables Performance Management, failed to notify potential victims for over 18 months. It wasn’t until late last month the company sent notices alerting people their social security numbers and names may have been accessed.

The Lynnwood company now faces a slew of lawsuits in federal court in Seattle. The complaints allege the company violated state law due to an alleged lack of security and the delay in notifying people of the breach. The four plaintiffs are from Georgia, New Jersey, North Carolina and Pennsylvania. Several of them had fraudulent activity on their bank accounts before they were notified of the breach.

An attorney for the plaintiffs, Kaleigh Boyd of Seattle law firm Tousley Brain Stephens, declined to comment Wednesday.

Tom Loeser, a lawyer with Hagens Berman, also of Seattle, told The Daily Herald his firm has heard from several other people who received the notice. He has lots of questions as his firm investigates the ransomware attack.

“When did they learn about it?” Loeser said. “When did they get the ransom message? And why didn’t they tell people then? Were they working with the hackers to try to get the information back? Were they going to keep it close to their vests and not tell anybody until they thought they resolved it?”

Loeser, a former federal prosecutor in California who handled cyber crime cases, suggested those affected should freeze their accounts at all three of the credit bureaus. And if one pays for anything to protect their data, be sure to keep the receipts.

In the notice to those affected, the company advised people closely monitor “all mail, email, or other contact from individuals not known to you personally, and to avoid answering questions or providing additional information to such unknown individuals.”

The company and its lawyer didn’t immediately respond to a request for comment.

Many clients whose data was breached wouldn’t even know Receivables Performance Management had their personal information, Loeser said. It simply collects debt while working with companies in various sectors, including health care, banking and utilities.

The attack

On May 12, 2021, the company became aware of a “data security incident,” according to the notice sent Nov. 21, 2022.

Its investigation found the hackers first accessed the company’s server a month earlier, on April 8. The ransomware attack was launched in May, exposing personal information for 3,766,573 people.

The company immediately disconnected all of its electronic equipment and began restoring its systems, according to the notice.

In the notice, Receivables Performance Management’s CEO Howard George wrote that the company’s data review process lasted until early October of this year.

“Through this review process, RPM identified the presence of your personal information in the files that were reviewed, including Social Security number,” George wrote. “Please note that it is entirely possible that your specific personal information was not impacted as a result of the incident. RPM also obtained confirmation to the best of its ability that the information is no longer in the possession of the third party(ies) associated with this incident.”

The CEO wrote that the company “deeply regrets any concern this may have caused you.”

It’s unclear if the company paid a ransom to get the data back or where the sensitive information is now. And it’s unknown who got the data.

“I don’t know that there is a world of honest thieves out there,” Loeser said. “There is absolutely no guarantee that paying a ransom in a ransomware attack means that the hacker will all of the sudden be altruistic and choose not to sell all of the information they stole on the Dark Web. You have to remember that they stole the information to begin with.”

Receivables Performance Management offered a free yearlong subscription to a credit monitoring and identity theft protection service. The company encouraged clients to contact it at 877-237-5382 for more information.

Loeser said the yearlong protection is “grossly insufficient.” Sometimes, hackers will hold on to the information for years, wait until people have their guards down and then use it.

The lawsuits allege the Lynnwood company failed to “maintain an adequate data security system to reduce the risk of data breaches.” Loeser said the fact the hack happened at all shows its data security efforts weren’t enough.

The debt collection company’s privacy policy on its website states: “As financial services professionals entrusted with sensitive information, we respect the privacy of our clients, and the privacy of their customers. We are committed to treating customer’s information responsibly.”

It’s likely more lawsuits will be filed against Receivables Performance Management. Those would probably then be consolidated into one class-action case.

A spokesperson for the Federal Trade Commission declined to comment on whether the agency was investigating the attack. A spokesperson for the state Office of the Attorney General didn’t immediately respond to a request for comment.

This article has been updated that Loeser suggested freezing credit bureau accounts.

Jake Goldstein-Street: 425-339-3439;; Twitter: @GoldsteinStreet.

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Local News

Snohomish residents Barbara Bailey, right, and Beth Jarvis sit on a gate atop a levee on Bailey’s property on Monday, May 13, 2024, at Bailey Farm in Snohomish, Washington. Bailey is concerned the expansion of nearby Harvey Field Airport will lead to levee failures during future flood events due to a reduction of space for floodwater to safely go. (Ryan Berry / The Herald)
Harvey Field seeks to reroute runway in floodplain, faces new pushback

Snohomish farmers and neighbors worry the project will be disruptive and worsen flooding. Ownership advised people to “read the science.”

Grayson Huff, left, a 4th grader at Pinewood Elementary, peeks around his sign during the Marysville School District budget presentation on Tuesday, Nov. 28, 2023 in Marysville, Washington. (Olivia Vanni / The Herald)
State OKs Marysville plan with schools, jobs on chopping block

The revised plan would mean the loss of dozens of jobs and two schools — still to be identified — in a school district staring down a budget crunch.

IAM District 751 machinists join the picket line to support Boeing firefighters during their lockout from the company on Thursday, May 16, 2024, in Everett, Washington. (Ryan Berry / The Herald)
Amid lockout, Boeing, union firefighters return to bargaining table

The firefighters and the planemaker held limited negotiations this week: They plan to meet again Monday, but a lockout continues.

The Trestle’s junction with I-5 is under evaluation (Kevin Clark / The Herald)
Here’s your chance to give feedback on the US 2 trestle and its future

Often feel overwhelmed, vulnerable and on shaky ground? So is the trestle. A new $17 million study seeks solutions for the route east of Everett.

Suspected DUI crash injures trooper on I-5 north in Lynnwood

WSP spokesperson said two suspected impaired drivers have crashed into a state trooper in the past 24 hours.

John Pederson lifts a flag in the air while himself and other maintenance crew set up flags for Memorial Day at Floral Hills Cemetery on Friday, May 24, 2024 in Lynnwood, Washington. (Olivia Vanni / The Herald)
Volunteers place thousands of flags by veterans’ graves in Lynnwood

Ahead of Memorial Day, local veterans ensure fellow military service members are never forgotten.

People hang up hearts with messages about saving the Clark Park gazebo during a “heart bomb” event hosted by Historic Everett on Saturday, Feb. 17, 2024 in Everett, Washington. (Olivia Vanni / The Herald)
Future of historic Clark Park gazebo now in hands of City Council

On June 5, the Everett council is set to decide whether to fund removal of the gazebo. It could be stored elsewhere.

Brian Hennessy leads a demonstration of equipment used in fire training at the Maritime Institute in Everett, Washington on Wednesday, May 22, 2024. (Annie Barker / The Herald)
‘Ready to go full sail’: Maritime Institute embarks at Port of Everett

The training facility offers Coast Guard-certified courses for recreational boaters and commercial vessel operators.

George Beard poses for a photo outside of the the Stanwood Library in Stanwood, Washington on Wednesday, May 8, 2024.  (Annie Barker / The Herald)
From sick to the streets: How an illness left a Stanwood man homeless

Medical bills wiped out George Beard’s savings. Left to heal in his car, he got sicker. Now, he’s desperate for housing. It could take years.

Logo for news use featuring Snohomish County, Washington. 220118
Lawsuit says Snohomish County deputies not justified in Sultan shooting

Two deputies repeatedly shot an unarmed Sultan man last year, body camera video shows. An internal investigation is pending.

An airplane is parked at Gate M9 on Tuesday, May 21, 2024 at O’Hare International Airport in Chicago, Illinois. (Jordan Hansen/The Herald)
Good luck to Memorial Day travelers: If you’re like me, you’ll need it

I spent a night in the Chicago airport. I wouldn’t recommend it — but with flight delays near an all-time high, you might want to pack a pillow.

Editorial cartoons for Friday, May 24

A sketchy look at the news of the day.… Continue reading

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.