LYNNWOOD — A security breach at a Lynnwood-based debt collection agency jeopardized sensitive personal information for more than 3 million people across the country last year.
And the company, Receivables Performance Management, failed to notify potential victims for over 18 months. It wasn’t until late last month the company sent notices alerting people their social security numbers and names may have been accessed.
The Lynnwood company now faces a slew of lawsuits in federal court in Seattle. The complaints allege the company violated state law due to an alleged lack of security and the delay in notifying people of the breach. The four plaintiffs are from Georgia, New Jersey, North Carolina and Pennsylvania. Several of them had fraudulent activity on their bank accounts before they were notified of the breach.
An attorney for the plaintiffs, Kaleigh Boyd of Seattle law firm Tousley Brain Stephens, declined to comment Wednesday.
Tom Loeser, a lawyer with Hagens Berman, also of Seattle, told The Daily Herald his firm has heard from several other people who received the notice. He has lots of questions as his firm investigates the ransomware attack.
“When did they learn about it?” Loeser said. “When did they get the ransom message? And why didn’t they tell people then? Were they working with the hackers to try to get the information back? Were they going to keep it close to their vests and not tell anybody until they thought they resolved it?”
Loeser, a former federal prosecutor in California who handled cyber crime cases, suggested those affected should freeze their accounts at all three of the credit bureaus. And if one pays for anything to protect their data, be sure to keep the receipts.
In the notice to those affected, the company advised people closely monitor “all mail, email, or other contact from individuals not known to you personally, and to avoid answering questions or providing additional information to such unknown individuals.”
The company and its lawyer didn’t immediately respond to a request for comment.
Many clients whose data was breached wouldn’t even know Receivables Performance Management had their personal information, Loeser said. It simply collects debt while working with companies in various sectors, including health care, banking and utilities.
On May 12, 2021, the company became aware of a “data security incident,” according to the notice sent Nov. 21, 2022.
Its investigation found the hackers first accessed the company’s server a month earlier, on April 8. The ransomware attack was launched in May, exposing personal information for 3,766,573 people.
The company immediately disconnected all of its electronic equipment and began restoring its systems, according to the notice.
In the notice, Receivables Performance Management’s CEO Howard George wrote that the company’s data review process lasted until early October of this year.
“Through this review process, RPM identified the presence of your personal information in the files that were reviewed, including Social Security number,” George wrote. “Please note that it is entirely possible that your specific personal information was not impacted as a result of the incident. RPM also obtained confirmation to the best of its ability that the information is no longer in the possession of the third party(ies) associated with this incident.”
The CEO wrote that the company “deeply regrets any concern this may have caused you.”
It’s unclear if the company paid a ransom to get the data back or where the sensitive information is now. And it’s unknown who got the data.
“I don’t know that there is a world of honest thieves out there,” Loeser said. “There is absolutely no guarantee that paying a ransom in a ransomware attack means that the hacker will all of the sudden be altruistic and choose not to sell all of the information they stole on the Dark Web. You have to remember that they stole the information to begin with.”
Receivables Performance Management offered a free yearlong subscription to a credit monitoring and identity theft protection service. The company encouraged clients to contact it at 877-237-5382 for more information.
Loeser said the yearlong protection is “grossly insufficient.” Sometimes, hackers will hold on to the information for years, wait until people have their guards down and then use it.
The lawsuits allege the Lynnwood company failed to “maintain an adequate data security system to reduce the risk of data breaches.” Loeser said the fact the hack happened at all shows its data security efforts weren’t enough.
It’s likely more lawsuits will be filed against Receivables Performance Management. Those would probably then be consolidated into one class-action case.
A spokesperson for the Federal Trade Commission declined to comment on whether the agency was investigating the attack. A spokesperson for the state Office of the Attorney General didn’t immediately respond to a request for comment.
This article has been updated that Loeser suggested freezing credit bureau accounts.