TMX Finance, parent company of TitleMax, TitleBucks and InstaLoan experienced a major breach of their network, resulting in nearly 5 million customer accounts’ data being siphoned out by malicious actors over a period of 11 days in mid-February 2023.
The data stolen included driver’s license numbers, federal/state IDs, tax IDs, social security numbers and other financial account information. This would allow malicious parties to potentially open lines of credit or commit other kinds of identity fraud against the 4.8 million+ affected parties.
TMX’s Response In-Line with ISO-27001
While specific details regarding how the breach occurred aren’t public record, TMX’s mitigation and incident response has been released publicly, after stating that they had ‘contained and continued to monitor its systems for suspicious activity’.
The company has implemented endpoint protection and monitoring, a process that under ISO and NIST standards is advised to protect against potential attacks, along with mandated resets of all employee passwords to block access via potentially compromised accounts. This is mentioned explicitly in multiple ISO/IEC 27001 controls:
- 8.1 – Operational Planning and Control – This emphasizes the need for organizations to plan, implement and control their operations to meet information security requirements.
- 8.2 – Information Security Risk Assessment – This focuses specifically on identifying and assessing information security risks to determine the appropriate risk treatment measures.
- 8.3 – Information Security Risk Treatment – This outlines the process of selecting and implementing risk treatment measures to address identified risks.