Update: And this is why we said “allegedly” and “unconfirmed.” CCC responded to yesterday’s inquiry with the following reply:
Credit Control Corporation is not currently the subject of any data breach or security incident referenced in your message.
The original post appears below for context.
A seller on a forum claims to have data on 9.1 million consumers whose personal information is in the hands of a cash recovery and collections firm. Nothing has been confirmed, but they claim an employee of the firm knowingly gave them access.
On May 4, 2023, the R&B Corporation of Virginia, a Newport News-based cash recovery vendor doing business as the Credit Control Corporation (“CCC”), began notifying individuals that their information was involved in a data breach in March 2023 that exposed personal identification information and financial information of approximately 286,700 individuals. The information in the breach included names, addresses, Social Security numbers, and information relating to underlying accounts between individuals and R&B’s business customers.
The class action lawsuit stemming from the incident received final court approval in January 2025 with a with a $1.61M settlement fund.
To the best of DataBreaches’ knowledge, the threat actor or gang was never publicly revealed. But in the wake of the 2023 breach, and as part of the settlement, CCC agreed to implement additional security controls:
2. SECURITY COMMITMENTS; PROSPECTIVE RELIEF
In the wake of the security incident, R&B implemented additional security controls to enhance its network security. R&B enhanced data segmentation and access controls to limit unauthorized access including: deployment of firewall malware monitoring; implementation of Cloudflare Zero Trust platform to ensure that all network traffic is verified and authenticated and access resources are granted on a least-privilege basis; utilize micro-segmentation to divide the network traffic into smaller, more secure zones and restrict communication between these zones.
R&B further increased its investment in threat intelligence and security monitoring to detect and respond security events, including: deployment of an advanced threat detection and response system that identifies threats in real time, monitored 24/7 by a security operation center (“SOC”), overlapping endpoint detection and response (“EDR”) security agents on devices that operate in the environment; and implementation of SIEM monitoring system which collects and analyzes security events for all devices connected to the environment.
R&B agrees, as a material term of the settlement agreement, to undertake these data security measures for a period of two years following the Effective Date.
Re R&B Corporation of Virginia d/b/a Credit Control Corporation, Data Security Breach Litigation, No. 4:23-cv-0066 received final court approval on January 29, 2025.
But now CCC has reportedly suffered another breach — one that allegedly impacts 9.1 million people. And the person claiming responsibility for it claims that CCC never detected it while it was in progress.
New Claims Are Unconfirmed by CCC
A user on a hacking-related forum posted data for sale, but other than providing a sample .csv file allegedly from 5/21/2025 that contains data on mortgage borrowers, there is no information in the listing about how the data were acquired, whether the seller is the person who acquired the data, and if so, did they ever contact CCC to make any financial demands.
DataBreaches reached out to the seller to see if they would answer any questions about how the data were acquired. DataBreaches did make contact with the seller after first attempting to validate some of the data in the .csv file.
Attempt to Verify
DataBreaches attempted to verify some of the information in the sample .csv file provided. For a small random sample of 9 named individuals who were among a larger sample whose addresses were included in the .csv file, DataBreaches were able to find confirmation via a Google search that all 9 could be found: 8 of them were listed with the same address that shows as their current address via Google, for the 9th, the .csv address is now listed as a former address for them in a Google search. For one of the nine, DataBreaches found an obituary from September 2021, raising some questions about how often that .csv file might have been updated.
Statements by Seller
In a Telegram chat with the seller, DataBreaches was told that the seller gained access to the data through contact with an employee there.
“am have man work there,” “Jack” told DataBreaches, later expanding on that to explain that they got the employee to give them access to the server.
According to Jack, CCC never detected the data being exfiltrated.
Jack has not contacted CCC and has not and will not try to directly ransom them, they said, because they did not want the employee to get caught. Rather than a ransom/extortion approach, they are listing the data for sale. That said, Jack seemed to be confident that no one would be able to figure out who the employee was. He was not willing to answer any more questions unless he got paid to answer them, and since DataBreaches can not ethically pay for information, that concluded our chat.
CCC Contacted
DataBreaches reached out to CCC today via their website contact form. In two messages, DataBreaches asked whether CCC had confirmed any breach, and if so, was it just mortgage data or did it include medical data too. CCC was also asked if they have contacted the FBI. After contacting the seller/hacker, DataBreaches sent a follow-up inquiry about the claimed role of an insider/employee.
No replies have been received by publication. DataBreaches will update this post if a reply is received.