A Washington-based collection agency has reported a data breach to the Attorney General of Maine after being the target of a ransomware attack last year that compromised the personal information of more than 3 million people, according to published reports. Attorneys have already started looking for individuals whose information may have been part of the breach as a precursor to filing class-action lawsuits against the company.
In May 2021, portions of the computer system at Receivables Performance Management were taken offline, according to a published report, which was based off the company’s filing with the Maine AG’s office. After disconnecting all of its systems and rebuilding its servers, the company hired a third-party security firm to conduct an investigation. The investigation uncovered that an unauthorized party gained access to the company’s servers in April 2021 and launched a ransomware attack the following month. The investigation also uncovered that files containing personal information about consumers were accessible to the unauthorized party.
Last month, the company began sending out breach notification letters to individuals whose information was compromised as a result of the incident.
It was not disclosed if the company paid the ransom — or even if a demand was made — and the identity of the person who gained access is not known.
In the letter that was sent out to affected individuals, the CEO of RPM said, “Please note that it is entirely possible that your specific personal information was not impacted as a result of the incident. RPM also obtained confirmation to the best of its ability that the information is no longer in the possession of the third party(ies) associated with this incident.”