COVID stimulus card issuer attack exposes 800K clients


Pathward, formerly known as MetaBank, was severely impacted by a third-party breach via the MOVEit Transfer hack. Nearly 800,000 people had their personal details exposed, including payment card numbers.

Pathward notified its clients of a third-party data breach which affected holders of its H&R Block Emerald Card. A third-party, which processed Pathward’s customer data, employed the MOVEit Transfer software, which hackers breached earlier this year.

“As a result of the MOVEit vulnerability, some of your personal information maintained by this service provider appears to have been acquired by an unauthorized party,” Pathward said in a breach notification letter to affected customers.

ADVERTISEMENT

Pathward formerly did business as MetaBank, and its controlling company was called Meta Financial Group. Last year, it sold the Meta trademark for $60 million to Meta Platforms, owner of Facebook, Instagram, WhatsApp, and other products.

In 2021, MetaBank worked with the US Treasury Department to issue millions of COVID-19 stimulus debit cards, called Economic Impact Payment (EIP) cards, under the Coronavirus Aid, relief, and Economic Security (CARES) Act.

What Pathward customer data was leaked?

According to data submitted to Maine‘s Attorney General, 793,626 individuals were impacted by the breach. Over 62 million people have been exposed due to the MOVEit Transfer attacks.

Pathward‘s letter to affected individuals explains that a company servicing the H&R Block Emerald Card, unrelated to EIP cards, managed customer info via the MOVEit Transfer.

“On or about July 12th, 2023, we became aware that an unauthorized third party had acquired certain files transferred through the MOVEit Transfer tool, and on July 25th, 2023, the service provider provided its forensic data report,” read the letter.

The report indicated that while no Pathward or H&R Block systems were involved or compromised by the incident, attackers may have accessed a trove of sensitive customer data associated with the H&R Block Emerald Card, including:

Exposed financial data presents various risks to affected individuals. A card number and expiration date, collated with personal details, could allow attackers to perpetrate financial fraud, leading to unauthorized transactions and financial loss.

ADVERTISEMENT

Cybercriminals can use stolen information to commit other types of fraud: from identity theft or phishing attacks to obtaining loans under false pretenses.

Experts warn that even seemingly insignificant pieces of leaked personal information can be collated to have a devastating impact. Victims often don’t realize they’ve been compromised and, therefore, take no action to mitigate the outcome.

To help those affected, Pathward said that it will provide two years of identity theft prevention services. Typically, companies who had their client data exposed provide users with 12 months of complementary monitoring services.

The MOVEit Transfer attacks

Earlier this year, the Russia-linked Cl0p ransomware gang exploited a now-patched zero-day bug in MOVEit Transfer software, allowing attackers to access and download data. According to the software’s maker, Progress Software, it disclosed the vulnerability on May 31st and deployed a patch on the same day.

Cl0p goes by a few different names. People in the cyber industry know the syndicate as TA505, Lace Tempest, Dungeon Spider, and FIN11. The gang is quite old, having been first observed back in 2019.

Earlier this summer, Cybernews received evidence that one of the Cl0p ransomware strain developers was in the city of Kramatorsk in Eastern Ukraine, on the front line of the Russia-Ukraine war.

Recent reports into how the gang distributes stolen data indicate that cybercrooks employ virtual private server (VPS) hosting services, with servers physically located in Russia’s two largest cities: Moscow and Saint Petersburg.

Numerous well-known organizations have had their clients exposed in the MOVEit attacks. For example, Sony Interactive Entertainment (SIE), a Sony branch responsible for developing PlayStation consoles, said that thousands of its former employees had their data exposed.

Other named victims include American Airlines, TJX off-price department stores, TomTom, Pioneer Electronics, Autozone, Johns Hopkins University and Health System, Warner Bros Discovery, AMC Theatres, Choice Hotels’ Radisson Americas chain, and Crowe accounting advisory firm.

ADVERTISEMENT