RZ - stock.adobe.com

MoneyGram customer data breached in attack

MoneyGram confirms that customer data has been stolen in an incident that appears to have started with a social engineering attack on its IT helpdesk staff

Financial services firm and money transfer specialist MoneyGram has disclosed a breach of customer data arising from a late-September cyber attack on its systems, but has waited over a week to tell customers that they have been affected.

The incident first manifested as a network outage on 20 September, before being confirmed as a cyber incident on 23 September. According to reporting by Bleeping Computer, MoneyGram and cyber forensics experts at CrowdStrike have since confirmed it was not a ransomware attack. The outlet additionally cited internal emails shared with it that reveal the breach may have been the result of a social engineering attack on MoneyGram’s IT helpdesk.

It hit MoneyGram’s global operations and led directly to the cancellation in the UK of a longstanding contract with the Post Office to offer money transfer services within its branches. In poorer countries, where MoneyGram is relied on by workers who have migrated abroad to remit money to their families, the impact has been even more keenly felt.

In a statement published on Monday 7 October, MoneyGram said that it had determined that an unauthorised third-party had accessed and acquired information on “certain consumers” on 27 September. It added that it was still investigating “the issue”.

“Upon detecting the issue, we took steps to contain and remediate it, including proactively taking certain systems offline, which temporarily impacted the availability of our services,” said MoneyGram. “We also launched an investigation with the assistance of leading external cyber security experts and have been coordinating with law enforcement. Our systems are back online and we have resumed normal business operations.

“We recommend that you remain vigilant for incidents of fraud and identity theft by reviewing account statements. We also recommend that you remain alert for unsolicited communications involving your personal information.”

The affected information includes data such as names, contact details, birthdays, national identification numbers, copies of government identity documents, bank account numbers, details of transactions made on MoneyGram, and rewards programme details.

The organisation gave no indication of where the affected customers were located, but it is offering affected consumers identity protection and credit monitoring services available for the next two years at no cost.

Social engineering is super effective

Although there is no evidence to link the MoneyGram incident to other attacks that were similar in their scope – such as the late-2023 Scattered Spider breaches of multiple organisations orchestrated through the compromise of their helpdesk environments using Okta credentials – the incident does prove how devastatingly effective a simple social engineering attack can be.

Dane Sherrets, senior solutions architect at HackerOne, said that emergent technologies would likely cause the problem to get worse before it gets better: “As generative AI technology gets better, faster and cheaper, employees will continue to be a point of focus for threat actors.

“AI-powered tools give attackers the ability to conduct spear-phishing attacks at scale. Rather than spraying low-effort phishing messages, attackers can carry out high-quality, customised attacks more easily than ever before.

“To combat the expected increase and effectiveness of social engineering attacks, organisations should consider additional processes to educate employees while determining ways to implement the principle of least privilege to help minimise risk.” 

Timeline: The MoneyGram incident

  • 24 September: Money transfer specialist MoneyGram services remain down several days after a network outage developed into a full-blown cyber security incident.
  • 1 October: The Post Office offered a short extension to enable it to asses the impact of the MoneyGram cyber incident, but the contract has now expired and MoneyGram services are no longer available in Post Office branches.
  • 2 October: Money transfer fintech wrote to subpostmasters expressing its disappointment with the Post Office over end of contract.

Read more on Data breach incident management and recovery