RiteCheck Cashing, a financial services provider based in New York, has disclosed a major data breach that exposed sensitive personal and financial information belonging to nearly 70,000 individuals. Though the breach occurred in late August 2023, impacted customers and employees were only notified this week—almost a year later.
Unauthorized Server Access Leads to Large-Scale Data Exposure
According to the official breach notice, an “unauthorized user” gained access to RiteCheck’s servers in August 2023. The compromised server contained a variety of personal and payment-related data tied to both customers and employees.
“The contents of the server were reviewed, and it was discovered that personal information belonging to a subset of RiteCheck customers and employees was potentially impacted as a result of the incident,” the company wrote in its notice.
RiteCheck reported the breach to the Maine Attorney General’s Office, stating that 68,042 individuals were affected.
The exposed information includes:
- Full names
- Physical addresses
- Dates of birth
- Social Security numbers
- Driver’s license numbers
- Government-issued ID numbers
- Payment card numbers
Delay in Notification Raises Concerns About Risk Window
The most troubling aspect of this incident is the 11-month delay between the breach and public notification. During that time, the stolen data could have been actively exploited by cybercriminals.
The type of information exposed—especially in combination—creates a high risk of identity theft, loan fraud, and payment card abuse. Exposed payment card numbers are especially valuable in underground cybercrime markets, where they are frequently sold and used for fraudulent purchases or identity spoofing.
Remediation Measures and Support for Affected Individuals
Following the attack, RiteCheck implemented a number of defensive measures to secure its environment, stating that it had:
- Changed passwords across user accounts
- Deployed endpoint detection and monitoring solutions
In an effort to assist impacted individuals, the company is also offering 12 months of credit monitoring and identity protection services.
This breach serves as a stark reminder of the cybersecurity challenges facing financial service providers, particularly in sectors handling sensitive ID and payment information.
