DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Update: NCB Management Services breach affected more than 1 million, but how many more? (1)

Posted on May 23, 2023 by Dissent

On April 11, DataBreaches reported that a breach involving NCB Management had affected 494,969 Bank of America customers with past-due credit card accounts.  At first glance, it appeared that the Pennsylvania collections firm had reported the breach to the Maine Attorney General’s Office, but closer attention revealed that it was Bank of America’s external counsel who had notified Maine. And after reviewing the sample letter to consumers more, DataBreaches began to suspect that Bank of America had written the letter that went out over NCB’s unsigned signature. The more DataBreaches looked at the situation and letter, the more questions it raised about whether the half a million Bank of America customers were only a subset of a much larger pool of breach victims, and whether this had been a hack where NCB paid some ransom to get “assurances.”

DataBreaches wrote to NCB Management on April 16 and posed a number of questions, including the following (edited for brevity):

1. Has NCB issued any statement or disclosure on behalf of other clients? If so, please email me a copy or provide a URL where it is posted.

2. The Bank of America notification stated, “NCB has obtained assurances that the third party no longer has any of the information on its systems.” In my experience, that’s code for “We paid the criminals and they promised to destroy all the data.” What group or individual gave you assurances? Did any law enforcement professionals suggest to you that these criminals were NOT reliable in keeping their word?

3. How many U.S. consumers, total, were affected by the ransomware attack?

The above are just three of the seven questions put to NCB.

On April 18, DataBreaches received the following reply from Ross S. Enders, Deputy General Counsel for NCB Management and its contact for Media Relations:

Thank you for your inquiry. Please see below the official statement from NCB that can be attributed to an “NCB spokesperson.” If possible, please use the statement in its entirety for your story.

NCB detected unauthorized access to our systems on February 4, 2023. We promptly took steps to secure the impacted systems by taking our networks offline and promptly reported the incident to Federal Law Enforcement. With the assistance of leading third-party cybersecurity experts, we immediately launched an investigation to determine the nature and scope of the event. We communicated to our Active Business Partners throughout the investigation and restoration process, particularly about any impacts to their data. We take this incident and security of our and clients’ information seriously.

They didn’t answer a single one of the seven questions that had been sent to them.  DataBreaches wrote back:

Hello Ross. The statement is nonresponsive to the specific questions posed and is actually quite concerning for its lack of transparency. Please answer the questions. You may call me at 516-776-7756.

He did not respond.

This week, external counsel for NCB Management at Greenberg Traurig reported to the Maine Attorney General’s Office that a total of 1,087,842 people were affected by the breach. Of those, 3,261 were Maine residents.

Does that number include the almost half a million consumers Bank of America notified already? According to the submission to the state, Greenberg Traurig was

writing to inform you that our client, NCB Management Services, Inc. (“NCB”), on behalf of itself and, where applicable, certain of its clients, is notifying individuals of a data security incident that may have impacted some of their personal information, including approximately 3,261 individuals who reside in Maine. The NCB clients who have elected to be identified in this notification are listed in Schedule A hereto.

Schedule A listed  “Pathward®, National Association” under “NCB Business Partner.” For that listing, 155  Maine residents were affected.

Given that Bank of America already notified Maine in March, it seems unlikely that the 1 million being reported now included the Bank of America numbers, but because of NCB’s lack of transparency, we still do not know the total number affected by this breach and we do not know what assurances NCB claimed it received or the basis for any such “assurances.”

Perhaps we will find out from a class action lawsuit. At least one has already been filed in federal court in Pennsylvania (Lindquist v. NCB Management, 2:2023cv01236) and there are at least five other related cases.


Update 1: NCB also reported this incident to the Massachusetts Attorney General. Massachusetts doesn’t require the entity to disclose the total number for the incident or for the state, so all we know is that 1,133 Massachusetts residents who had used TD Bank were among those affected.


Related posts:

  • NCB Management breach affected almost 500,000 former Bank of America credit card holders
  • Commentary: Repeated insider breaches at TD Bank should trigger federal regulator investigation (update 1)
  • Who is on TEKsystems Intel Leak
Category: Breach Incidents

Post navigation

← Bits ‘n Pieces (Trozos y Piezas)
After ransomware attack, state’s second-largest health insurer says patient data were stolen →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Horizon Healthcare RCM discloses ransomware attack in December
  • Disgruntled IT Worker Jailed for Cyber Attack, Huddersfield
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Texas Centers for Infectious Disease Associates Notifies Individuals of Data Breach in 2024
  • Battlefords Union Hospitals notifies patients of employee snooping in their records
  • Alert: Scattered Spider has added North American airline and transportation organizations to their target list
  • Northern Light Health patients affected by security incident at Compumedics; 10 healthcare entities affected
  • Privacy commissioner reviewing reported Ontario Health atHome data breach
  • CMS warns Medicare providers of fraud scheme
  • Ex-student charged with wave of cyber attacks on Sydney uni

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Supreme Court Decision on Age Verification Tramples Free Speech and Undermines Privacy
  • New Jersey Issues Draft Privacy Regulations: The New
  • Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report
  • Germany Wants Apple, Google to Remove DeepSeek From Their App Stores
  • Supreme Court upholds Texas law requiring age verification on porn sites
  • Justices nix Medicaid ‘right’ to choose doctor, defunding Planned Parenthood in South Carolina
  • European Commission publishes its plan to enable more effective law enforcement access to data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.