Posted On November 22, 2022 Consumer Privacy & Data Breaches
On November 21, 2022, Receivables Performance Management LLC (“RPM”) filed notice of a data breach with the Attorney General of Maine after the company experienced a ransomware attack compromising sensitive consumer data in its possession. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ personal information, including their names and Social Security numbers. After confirming that consumer data was leaked, RPM began sending out data breach notification letters to all individuals who were impacted by the recent data security incident. It is estimated that the Receivables Performance Management data breach affected the information of over 3.7 million consumers.
If you received a data breach notification, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the RPM data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Receivables Performance Management LLC.
The available information regarding the Receivables Performance Management breach comes from the company’s filing with the Maine Attorney General. According to this source, on about May 12, 2021, RPM became aware of a potential cybersecurity incident when portions of the company’s computer system were inexplicably taken offline. In response, Receivables Performance Management disconnected all systems and worked to get them back online. Additionally, the company rebuilt its servers and then contacted a third-party data security firm to assist with the company’s investigation. Through this investigation, RPM hoped to learn more about the nature and extent of the incident, as well as what, if any, consumer data was compromised as a result.
The RPM investigation confirmed that an unauthorized party first gained access to its systems on April 8, 2021, and that a ransomware attack was launched on May 12, 2021. The company’s investigation also revealed that certain files containing sensitive consumer data were accessible to the unauthorized party.
Upon discovering that sensitive consumer data was made available to an unauthorized party, Receivables Performance Management began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your personal information, including your name and Social Security number.
On November 21, 2022, Receivables Performance Management sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Receivables Performance Management LLC is an accounts receivable company based in Lynnwood, Washington. The company helps its business clients recover outstanding accounts receivable through a variety of collection techniques, including telemarketing services, customized dunning notice services, outsourcing and pre-collection services, early age reactivation services, late stage / post statute services, small balance portfolio services, and inbound and outbound services. RPM works with companies in all industries, including healthcare, retail card, credit card, auto finance, utilities, and more. Receivables Performance Management employs more than 51 people and generates approximately $47 million in annual revenue.
Receivables Performance Management LLC first discovered that the company was the target of a ransomware attack in May 2021; however, it did not file an official notice of the breach or send out data breach letters to affected individuals until November 2022 – almost 18 months later. Assuming that Receivables Performance Management knew that consumer data may have been leaked, wouldn’t such a delay increase the likelihood of identity theft or other frauds?
Certainly, the answer is “yes.” Hackers and other cybercriminals typically use any information stolen through a data breach as soon as possible. This is because the stolen information may become useless to them if a consumer closes their account or takes other precautionary measures. Thus, by waiting to provide notice, a company gives hackers more time to use the data for criminal purposes. If this is the case, why would a company wait to provide notice to those who were affected by a data breach? There are a few possible answers.
One explanation for waiting to notify consumers of a breach is that the company didn’t realize it had been the victim of a cyberattack. However, in the case of the Receivables Performance Management breach, it appears that the company discovered that an unauthorized party at least potentially had access to its employee email accounts shortly after the breach occurred. While there are exceptions, as a general matter, organizations with robust data security systems can often detect and contain a breach rather quickly. So, while companies can’t report a breach they are entirely unaware of, a company’s failure to discover unauthorized access raises questions about its data security practices.
Another possible reason why a company might not report a data breach right away is that it is cooperating with law enforcement to investigate the incident. In larger breaches especially, state and federal law enforcement agencies may request companies wait to report a breach. This is to prevent hackers from being alerted to the fact that the breach is under investigation. By waiting to publicly report a breach, a company gives law enforcement time to investigate the incident and, potentially, catch the hackers who conducted the attack. Often, companies will explain if their investigation was delayed due to a pending law enforcement investigation in their data breach letters.
Finally, a company may not report a breach right after its discovery if the company is in the process of reviewing the compromised information to determine what was leaked and who was affected. When a company learns of a data breach, it may not know what data was compromised until it completes a thorough investigation, which can take some time. Of course, companies can issue preliminary data breach notices to customers, providing them with what limited information they have at the time.
The fact that a company waits to file official notice of a data breach doesn’t mean the company is being negligent of the risks the breach poses to consumers. It also doesn’t necessarily mean that the company is trying to sweep the incident under the rug. However, as a general practice, companies that learn of a data security incident should inform consumers as soon as possible, giving them time to protect themselves from the worst consequences of a breach.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the RPM data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
Below is a copy of the initial data breach letter issued by Receivables Performance Management LLC (the actual notice sent to consumers can be found here):
Receivables Performance Management (“RPM”) understands the importance of protecting your information and is writing to inform you that it recently identified and addressed a security incident that may have involved your personal information. This notice describes the incident, outlines the measures that RPM has taken in response, and advises you on steps you can take to further protect your information.
What Happened? On or about May 12, 2021, RPM became aware of a data security incident that impacted its server infrastructure and took our systems offline. RPM responded immediately by physically disconnecting all equipment and began undertaking necessary efforts to restore its systems. Immediately following the incident and over a 36-hour time frame, RPM rebuilt its shared servers from the ground up and removed and reinstalled all collection and dialing software on all equipment. RPM also retained a forensic investigation firm to determine the nature of the security compromise and identify any individuals whose information may have been compromised.
What Information Was Involved? The forensic investigation determined that first access to RPM’s systems occurred on approximately April 8, 2021, with the ransomware launched on May 12, 2021. While the findings of the forensic investigation were not conclusive, the data security incident may have resulted in unauthorized access to and/or acquisition of certain data on RPM’s systems. As a result, in an abundance of caution, RPM began undertaking extensive efforts to gather and review this data to identify the presence of any personal information.
RPM began this process by identifying and collecting all data that may have been accessed or acquired in connection with the data security incident. Given the complexities of RPM’s server infrastructure, these efforts were extensive. RPM thereafter undertook a comprehensive, time intensive data review process, including manual review, of these documents to identify the presence of any personal information. This process concluded on or around October 2, 2022. Through this review process, RPM identified the presence of your personal information in the files that were reviewed, including Social Security number. Please note that it is entirely possible that your specific personal information was not impacted as a result of the incident. RPM also obtained confirmation to the best of its ability that the information is no longer in the possession of the third party(ies) associated with this incident.
What We Are Doing. As stated above, RPM responded immediately to the data security incident by physically disconnecting all equipment and began undertaking necessary efforts to restore its systems. Immediately following the incident and over a 36-hour time frame, RPM rebuilt its shared servers from the ground up and removed and reinstalled all collection and dialing software on all equipment. RPM also retained a forensic investigation firm to determine the nature of the security compromise and identify any individuals whose information may have been compromised. Please be advised that RPM is continuing to work closely with leading security experts to identify and implement measures to further strengthen the security of their systems to help prevent this from happening in the future.
FREE CREDIT MONITORING/INSURANCE: Additionally, we are offering you a free [Redacted]-month membership to TransUnion myTrueIdentity credit monitoring service. This product helps detect possible misuse of your personal information and provides you with identity protection services focused on immediate identification and resolution of identity theft. This product also includes various features such as up to $1,000,000 in identity theft insurance with no deductible, subject to policy limitations and exclusions. TransUnion myTrueIdentity is completely free to you and enrolling in this program will not hurt your credit score. For more information on identity theft protection and TransUnion myTrueIdentity, including instructions on how to activate your complimentary [Redacted]-month membership, please see the additional information attached to this letter. TO TAKE ADVANTAGE OF THE FREE CREDIT MONITORING OFFER, YOU MUST ENROLL BY [Redacted].
What You Can Do. We are aware of how important personal information is to you. We encourage you to protect yourself from potential harm associated with this incident by enrolling in the credit monitoring service, closely monitoring all mail, email, or other contact from individuals not known to you personally, and to avoid answering questions or providing additional information to such unknown individuals. We also remind you to remain vigilant for incidents of fraud or identity theft by reviewing account statements, explanation of benefits statements, and credit reports for unauthorized activity, and to report any such activity or any suspicious contact whatsoever to law enforcement if warranted.
For More Information. For further information on steps you can take to prevent possible fraud or identity theft, please see the attachments to this letter. RPM understands the importance of protecting your personal information, and deeply regrets any concern this may have caused to you. Should you have any questions and would like further information regarding the information contained in this letter, please do not hesitate to contact 877-237-5382 Monday through Friday from 9:00 a.m. to 9:00 p.m. Eastern Time.