Lynnwood-based debt collection company under investigation following 2021 data breach affecting 3.7 million customers

Seattle law firm Hagens Berman said it has launched an investigation into a Lynnwood-based debt collection company after it experienced a significant data breach earlier this year that leaked the names and Social Security numbers of over 3.7 million people.

Receivables Performance Management LLC (RPM) was first breached on April 8, 2021, when an unauthorized party gained access to its systems. A ransomware attack on the company followed on May 12, 2021, when files containing sensitive consumer data were accessible to the unauthorized party.

Only on Nov. 21, 2022 — more than 18 months later — did RPM notify affected individuals, Hagens Berman said in a press release.

RPM representatives issued an apology to any affected individuals and said they are closely monitoring the situation in an attempt to hinder any further damage.

“[RPM] understands the importance of protecting personal information and we apologize for any inconvenience this incident may have caused,” a representative said in a follow-up email. “It is important to note that there is no verified evidence that any personal information was published, shared or misused as a result of this incident.”

“The information left vulnerable to hackers during this ransomware attack and data breach is highly sensitive and put millions of people at risk of identity theft and years of damaging fraud, financial loss and hardship that comes with an incident of stolen identity,” said Tom Loeser, a Hagens Berman partner and former federal prosecutor in the Cyber and Intellectual Property Crimes Section of the U.S. Attorney’s Office in Los Angeles. “We believe RPM’s callous data security protocols and 18-month delay in publicizing this data breach have devastated those affected, and we urge anyone who has been notified by mail to contact us about their rights.”

Leave a Reply

Your email address will not be published. Required fields are marked *

Real first and last names — as well as city of residence — are required for all commenters.
This is so we can verify your identity before approving your comment.