On April 11, DataBreaches reported that a breach involving NCB Management had affected 494,969 Bank of America customers with past-due credit card accounts. At first glance, it appeared that the Pennsylvania collections firm had reported the breach to the Maine Attorney General’s Office, but closer attention revealed that it was Bank of America’s external counsel who had notified Maine. And after reviewing the sample letter to consumers more, DataBreaches began to suspect that Bank of America had written the letter that went out over NCB’s unsigned signature. The more DataBreaches looked at the situation and letter, the more questions it raised about whether the half a million Bank of America customers were only a subset of a much larger pool of breach victims, and whether this had been a hack where NCB paid some ransom to get “assurances.”
DataBreaches wrote to NCB Management on April 16 and posed a number of questions, including the following (edited for brevity):
1. Has NCB issued any statement or disclosure on behalf of other clients? If so, please email me a copy or provide a URL where it is posted.
2. The Bank of America notification stated, “NCB has obtained assurances that the third party no longer has any of the information on its systems.” In my experience, that’s code for “We paid the criminals and they promised to destroy all the data.” What group or individual gave you assurances? Did any law enforcement professionals suggest to you that these criminals were NOT reliable in keeping their word?
3. How many U.S. consumers, total, were affected by the ransomware attack?
The above are just three of the seven questions put to NCB.
On April 18, DataBreaches received the following reply from Ross S. Enders, Deputy General Counsel for NCB Management and its contact for Media Relations:
Thank you for your inquiry. Please see below the official statement from NCB that can be attributed to an “NCB spokesperson.” If possible, please use the statement in its entirety for your story.
NCB detected unauthorized access to our systems on February 4, 2023. We promptly took steps to secure the impacted systems by taking our networks offline and promptly reported the incident to Federal Law Enforcement. With the assistance of leading third-party cybersecurity experts, we immediately launched an investigation to determine the nature and scope of the event. We communicated to our Active Business Partners throughout the investigation and restoration process, particularly about any impacts to their data. We take this incident and security of our and clients’ information seriously.
They didn’t answer a single one of the seven questions that had been sent to them. DataBreaches wrote back:
Hello Ross. The statement is nonresponsive to the specific questions posed and is actually quite concerning for its lack of transparency. Please answer the questions. You may call me at 516-776-7756.
He did not respond.
This week, external counsel for NCB Management at Greenberg Traurig reported to the Maine Attorney General’s Office that a total of 1,087,842 people were affected by the breach. Of those, 3,261 were Maine residents.
Does that number include the almost half a million consumers Bank of America notified already? According to the submission to the state, Greenberg Traurig was
writing to inform you that our client, NCB Management Services, Inc. (“NCB”), on behalf of itself and, where applicable, certain of its clients, is notifying individuals of a data security incident that may have impacted some of their personal information, including approximately 3,261 individuals who reside in Maine. The NCB clients who have elected to be identified in this notification are listed in Schedule A hereto.
Schedule A listed “Pathward®, National Association” under “NCB Business Partner.” For that listing, 155 Maine residents were affected.
Given that Bank of America already notified Maine in March, it seems unlikely that the 1 million being reported now included the Bank of America numbers, but because of NCB’s lack of transparency, we still do not know the total number affected by this breach and we do not know what assurances NCB claimed it received or the basis for any such “assurances.”
Perhaps we will find out from a class action lawsuit. At least one has already been filed in federal court in Pennsylvania (Lindquist v. NCB Management, 2:2023cv01236) and there are at least five other related cases.
Update 1: NCB also reported this incident to the Massachusetts Attorney General. Massachusetts doesn’t require the entity to disclose the total number for the incident or for the state, so all we know is that 1,133 Massachusetts residents who had used TD Bank were among those affected.