Corporate Misconduct Accountability Project
MoneyGram Payment Systems, Inc. · Class Action
MoneyGram Data Breach Exposes Thousands to Identity Theft Risk
Social engineering attack compromised customer Social Security numbers, bank accounts, and other sensitive data. MoneyGram allegedly failed to detect the breach for seven days while criminals stole personal information.
CRITICAL SEVERITY
TL;DR
Between September 20-22, 2024, cybercriminals used a social engineering attack to breach MoneyGram’s systems and steal customer data including Social Security numbers, government IDs, bank account information, and transaction details. MoneyGram did not discover the breach until September 27, 2024, initially misleading the public by calling it a network outage. The complaint alleges MoneyGram lacked basic security measures like intrusion detection systems, monitoring tools, and properly trained helpdesk staff to prevent and detect such attacks.
If you used MoneyGram’s services and received a breach notification, your most sensitive financial data may now be in criminals’ hands.
7 days
Time hackers operated undetected in MoneyGram systems
3 days
Duration of active data theft (Sept 20-22, 2024)
430,000+
MoneyGram locations worldwide potentially affected
200+ countries
Geographic scope of MoneyGram operations
The Allegations: A Breakdown
Core Allegations
What MoneyGram allegedly did wrong · 8 points
| 01 | MoneyGram’s IT helpdesk fell victim to a basic social engineering attack where criminals impersonated an employee to gain system access. This type of attack is preventable with standard employee training that the company allegedly failed to implement. | high |
| 02 | The company stored customers’ personally identifiable information unencrypted, making it easy for hackers to steal once they gained access. Industry standards and FTC guidelines require encryption of sensitive data, which MoneyGram allegedly ignored. | critical |
| 03 | MoneyGram lacked basic intrusion detection systems, monitoring tools, and alerting mechanisms. Hackers operated inside the company’s networks for seven full days before discovery, suggesting complete absence of security monitoring infrastructure. | critical |
| 04 | The company initially misled customers and the public by calling the incident a network outage rather than disclosing it was a cyberattack. This delay tactic prevented customers from taking immediate protective action while criminals potentially sold their data. | high |
| 05 | MoneyGram promised customers it used robust physical, technical, organizational, and administrative safeguards to protect personal data. The breach exposed these promises as false, constituting potential breach of contract and deceptive trade practices. | high |
| 06 | The stolen data included the most sensitive types of personal information: Social Security numbers, government identification, bank account information, transaction details, and utility bills. This combination gives criminals everything needed for complete identity theft. | critical |
| 07 | MoneyGram failed to implement multi-factor authentication, proper access controls, network segmentation, or regular security audits. These are baseline security measures that any company handling financial data should maintain. | high |
| 08 | The company did not promptly notify affected customers about what specific data was compromised, when the breach occurred, or how long hackers had access. This lack of transparency prevented customers from assessing their risk and taking protective measures. | high |
Regulatory Failures
How MoneyGram violated federal standards · 5 points
| 01 | The Federal Trade Commission explicitly prohibits unfair practices including failure to use reasonable measures to protect confidential consumer data. MoneyGram’s security failures allegedly violate Section 5 of the FTC Act. | high |
| 02 | FTC guidelines published in 2016 specifically instruct businesses to encrypt information stored on networks, implement intrusion detection systems, monitor incoming traffic, and watch for large data transmissions. MoneyGram allegedly ignored all these requirements. | high |
| 03 | The company failed to meet minimum standards under the NIST Cybersecurity Framework, including requirements for access control, data security, protective technology, continuous monitoring, and incident response communications. | high |
| 04 | MoneyGram violated California’s Consumer Privacy Act by failing to implement reasonable security procedures appropriate to the nature of the information. This law empowers California residents to seek statutory damages for these violations. | medium |
| 05 | Industry standards require companies to limit retention of personal data, use industry-tested security methods, verify third-party vendors have security measures, and require complex passwords. MoneyGram allegedly failed on all counts. | medium |
Profit Over People
Corporate cost-cutting at customers’ expense · 4 points
| 01 | MoneyGram operates in more than 200 countries with over 430,000 locations worldwide, generating massive revenues. Despite this scale and resources, the company allegedly chose not to invest in basic cybersecurity infrastructure that would have prevented this breach. | high |
| 02 | Proper security systems including monitoring tools, intrusion detection, employee training, and encryption require ongoing investment. MoneyGram’s failures suggest deliberate decisions to treat security as a cost center rather than essential business function. | high |
| 03 | The company collected and stored vast amounts of customer data to facilitate its money transfer business and derive commercial benefit. When that data was stolen, MoneyGram transferred all the costs and risks to customers while retaining the profits. | high |
| 04 | MoneyGram’s public statements about robust safeguards served a marketing purpose, building customer trust to drive business. These promises were allegedly hollow, designed to extract value from customers without corresponding investment in protection. | medium |
Economic Fallout
Financial harm to victims · 6 points
| 01 | Victims now face immediate out-of-pocket costs for credit monitoring services, credit freezes at all three bureaus, and potential legal fees. These costs can easily exceed $200 per year per person for minimum seven years of monitoring. | high |
| 02 | Stolen data on the dark web sells for $40 to $200 per record, with complete identity packages fetching up to $4,500. The data brokering industry is worth $200 billion annually, making victims’ information extremely valuable to criminals. | high |
| 03 | Personal identifying information is worth more than 10 times the value of stolen credit card numbers on the black market. Social Security numbers and government IDs cannot be changed, making this stolen data permanently exploitable. | critical |
| 04 | Identity theft victims face damaged credit scores that prevent them from obtaining car loans, mortgages, or even employment. For people living paycheck to paycheck, these consequences can be financially catastrophic and life-altering. | critical |
| 05 | Victims must spend countless hours monitoring accounts, disputing fraudulent charges, and trying to reclaim their financial identity. This lost time represents real economic harm in the form of lost productivity and wages. | medium |
| 06 | Fraudulent use of stolen data may not surface for years, with criminals often holding data for up to a year before using it. This means victims face uncertainty and ongoing monitoring costs extending far into the future. | high |
Community Impact
Harm to vulnerable populations · 4 points
| 01 | MoneyGram serves immigrant and low-income communities who depend on money transfer services to send remittances supporting families in other countries. These vulnerable populations now face identity theft risks with limited resources to protect themselves. | high |
| 02 | The breach erodes trust in a financial institution that many communities rely on as essential infrastructure. When cornerstone services fail to protect users, it creates skepticism and fear that makes people hesitant to use legitimate financial services. | medium |
| 03 | For plaintiff Armando Reyes, MoneyGram’s systems failures caused his money transfer to be delayed eight days, resulting in late fees on bills the transfer was meant to pay. This direct financial harm exemplifies how the breach caused immediate, tangible damage. | medium |
| 04 | Many affected customers provided their data as a condition of receiving financial services they needed. They had no choice but to trust MoneyGram, and that mandatory trust was allegedly betrayed through negligence. | high |
Public Health and Safety
Psychological and emotional harm · 4 points
| 01 | Identity theft victims experience substantial psychological costs and time to repair damage to their credit and reputation. This prolonged stress causes anxiety, emotional distress, and loss of privacy that can persist for years. | medium |
| 02 | Victims must spend sleepless nights monitoring bank accounts and credit reports, constantly worried about fraudulent activity. This ongoing vigilance creates chronic stress and interferes with victims’ ability to focus on work and family. | medium |
| 03 | The violation of having one’s most sensitive personal information stolen and potentially sold to criminals is deeply traumatic. Victims lose their sense of security and control over their own identity and financial future. | medium |
| 04 | Plaintiff and class members have suffered invasion of privacy, loss of privacy, and interference with their daily lives. These harms are not speculative but real, ongoing injuries that affect quality of life and wellbeing. | medium |
Corporate Accountability Failures
How MoneyGram avoided responsibility · 4 points
| 01 | MoneyGram did not immediately recognize the cyberattack for what it was, initially treating it as a mere network outage. This failure to acknowledge the breach delayed investigation, notification, and response. | high |
| 02 | The company has not revealed the full extent of the breach, including exactly how many customers were affected. This lack of transparency prevents victims from fully understanding their exposure and taking appropriate protective measures. | high |
| 03 | MoneyGram failed to implement a reasonable incident response plan that would have enabled timely and adequate notification to class members. Customers learned about the breach’s severity through media reports rather than direct company communication. | medium |
| 04 | The company continues to hold personal data of affected customers in its systems, which remain subject to further unauthorized disclosure as long as MoneyGram fails to undertake adequate protective measures. The risk is ongoing. | high |
Exploiting Delay
How MoneyGram controlled the narrative · 4 points
| 01 | By calling the breach a network outage for the first several days, MoneyGram minimized public alarm and bought time to craft its response. This delay prevented customers from taking immediate protective action during the critical early hours after the breach. | high |
| 02 | MoneyGram took systems offline proactively only after the breach was already complete. The company’s public notice emphasized this proactive step while downplaying that hackers had already stolen data days earlier without detection. | medium |
| 03 | The seven-day gap between the breach occurring and MoneyGram discovering it gave criminals ample time to exfiltrate data, cover their tracks, and potentially begin selling information before victims even knew to monitor for fraud. | high |
| 04 | Law enforcement officials acknowledge that stolen data may be held for up to a year or more before being used for identity theft. MoneyGram’s delayed and incomplete disclosure means victims cannot assess when they are most at risk. | medium |
The Bottom Line
What this means for consumers · 4 points
| 01 | MoneyGram’s alleged failures represent a breach of the fundamental duty companies owe to protect customer data they collect and store. Customers provided sensitive information as a condition of service and received inadequate protection in return. | high |
| 02 | The breach was preventable with industry-standard security measures including employee training, encryption, monitoring systems, and intrusion detection. MoneyGram allegedly chose not to implement these basic protections despite being well aware of cybersecurity threats. | high |
| 03 | Affected customers now face years of elevated identity theft risk, ongoing monitoring costs, and potential financial fraud. The harm is not theoretical but concrete, measurable, and long-lasting. | high |
| 04 | Class members are entitled to damages for invasion of privacy, theft of their data, diminished value of their personal information, lost time, emotional distress, and the continued risk they face. They also deserve injunctive relief requiring MoneyGram to finally implement adequate security. | medium |
Timeline of Events
September 20, 2024
Cybercriminals begin infiltration of MoneyGram systems using social engineering attack on IT helpdesk
September 20-22, 2024
Hackers actively exfiltrate customer data including Social Security numbers, government IDs, bank accounts, and transaction information
September 22, 2024
Active data theft concludes; criminals complete exfiltration of customer information
September 27, 2024
MoneyGram finally discovers the data breach, seven days after hackers first gained access
September 2024 (initial days)
MoneyGram publicly describes incident as network outage rather than disclosing cyberattack
October 7, 2024
MoneyGram confirms hackers stole customer data in public statement acknowledging breach
October 14, 2024
Class action lawsuit filed in Northern District of Texas on behalf of affected customers
Direct Quotes from the Legal Record
QUOTE 1
MoneyGram’s false security promises
allegations
“We use a variety of robust physical, technical, organizational, and administrative safeguards to protect your personal data from unauthorized access, loss or alteration.”
💡 This statement from MoneyGram’s privacy policy directly contradicts the reality that hackers easily breached their systems and stole unencrypted data.
QUOTE 2
Scope of stolen data
allegations
“names, Social Security numbers, government identification information, transaction information, email addresses, postal addresses, names, phone numbers, utility bills, bank account information, MoneyGram Plus Rewards information, and some criminal investigation information for a limited number of customers”
💡 This comprehensive list of compromised data shows criminals obtained everything needed for complete identity theft and financial fraud.
QUOTE 3
How the breach occurred
allegations
“the Data Breach occurred through a social engineering attack on Defendant’s IT helpdesk wherein the malicious actors impersonated an employee to gain access to that employee’s account. The unauthorized actors then used the access given to it by IT helpdesk staff to remotely connect to Defendant’s information systems and target its Windows Active Directory systems directly.”
💡 This describes a preventable attack that basic employee training should have stopped, proving MoneyGram’s security failures were fundamental.
QUOTE 4
Seven-day detection failure
allegations
“the infiltration occurred between September 20 and September 22, 2024, but Defendant did not discovery the Data Breach until September 27, 2024.”
💡 The week-long gap between the breach and discovery reveals MoneyGram lacked basic monitoring systems to detect intruders in their network.
QUOTE 5
Initial public deception
delay_tactics
“Defendant did not initially recognize the cyberattack for what it was. Rather, it believed that it merely suffered a network outage rather than a data breach.”
💡 MoneyGram misled the public about the nature of the incident, preventing customers from taking protective action during the critical early period.
QUOTE 6
Lack of monitoring systems
allegations
“Given that Defendant failed to identify the malicious activity until it was already concluded, Defendant likely lacks the appropriate logging, monitoring, and alerting systems necessary to enable it to identify such attacks. Indeed, these tools are critical components of any reasonable cybersecurity program and are expected industry standards that Defendant had a duty to implement and maintain.”
💡 This expert analysis explains why the breach went undetected for so long and identifies MoneyGram’s failure to meet basic industry standards.
QUOTE 7
FTC security requirements ignored
regulatory
“The guidelines also recommend that businesses use an intrusion detection system to expose a breach as soon as it occurs, monitor all incoming traffic for activity indicating someone is attempting to hack into the system, watch for large amounts of data being transmitted from the system, and have a response plan ready in the event of a breach.”
💡 The FTC explicitly told companies like MoneyGram what security measures to implement, and MoneyGram allegedly ignored all of them.
QUOTE 8
Value of stolen data
economic
“Compared to credit card information, personally identifiable information . . . [is] worth more than 10x on the black market.”
💡 This quote from a cybersecurity expert proves the stolen MoneyGram data is extremely valuable to criminals and will be actively exploited.
QUOTE 9
Long-term risk to victims
economic
“law enforcement officials told us that in some cases, stolen data may be held for up to a year or more before being used to commit identity theft. Further, once stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years.”
💡 Government accountability office research shows breach victims face years of ongoing risk, not just immediate harm.
QUOTE 10
Direct harm to plaintiff
community
“Plaintiff Reyes attempted to send a money transfer using MoneyGram, but the funds were delayed for eight days because of Defendant’s systems outages that occurred because of the Data Breach. The delay was particularly harmful because it caused Mr. Reyes to be incur late fees for the bills the transfer was meant to pay.”
💡 This concrete example shows the breach caused immediate, measurable financial harm beyond the identity theft risk.
QUOTE 11
Unencrypted data storage
allegations
“The information held by Defendant in its computer systems at the time of the Data Breach included the unencrypted PII of Plaintiff and Class Members.”
💡 Storing sensitive data without encryption violates basic security standards and made the stolen information immediately usable by criminals.
QUOTE 12
Ongoing risk from continued data retention
accountability
“the continued risk to their PII, which remains in the possession of Defendant, and which is subject to further breaches, so long as Defendant fails to undertake appropriate and adequate measures to protect Plaintiff’s and Class Members’ PII.”
💡 MoneyGram still holds victims’ data in allegedly insecure systems, meaning the risk of future breaches continues.
QUOTE 13
Industry standards violations
regulatory
“Defendant failed to meet the minimum standards of one or more of the following frameworks: the NIST Cybersecurity Framework Version 1.1 (including without limitation PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.AT-1, PR.DS-1, PR.DS-5, PR.PT-1, PR.PT-3, DE.CM-1, DE.CM-4, DE.CM-7, DE.CM-8, and RS.CO-2), and the Center for Internet Security’s Critical Security Controls (CIS CSC)”
💡 This detailed list shows MoneyGram failed to implement multiple specific security controls that are standard in the industry.
QUOTE 14
Foreseeable harm
profit
“Data thieves regularly target institutions like Defendant due to the highly sensitive information in their custody. Defendant knew and understood that unprotected PII is valuable and highly sought after by criminal parties who seek to illegally monetize that PII through unauthorized access.”
💡 MoneyGram knew it was a target for cyberattacks and knew the value of the data it held, making its security failures even more inexcusable.
QUOTE 15
Psychological harm to victims
health
“Plaintiff suffered lost time, interference, and inconvenience because of the Data Breach and has experienced stress and anxiety due to increased concerns for the loss of his privacy.”
💡 The breach caused real emotional and psychological harm, not just theoretical future risk or financial loss.
Frequently Asked Questions
What data did MoneyGram expose in the breach?
The breach exposed some of the most sensitive types of personal information: Social Security numbers, government-issued ID information, bank account numbers, transaction details, email and postal addresses, phone numbers, utility bills, and MoneyGram Plus Rewards information. For a small number of customers, even criminal investigation information was compromised. This combination gives criminals everything they need for complete identity theft.
How did hackers get into MoneyGram’s systems?
Criminals used a social engineering attack, impersonating a MoneyGram employee to trick the company’s IT helpdesk into giving them access credentials. Once inside, they remotely connected to MoneyGram’s systems and targeted the Windows Active Directory directly. This type of attack is preventable with basic employee training that MoneyGram allegedly failed to provide.
How long were hackers inside MoneyGram’s network?
Hackers first infiltrated MoneyGram’s systems on September 20, 2024, and actively stole data through September 22, 2024. MoneyGram did not discover the breach until September 27, 2024, meaning criminals operated undetected for seven full days. This week-long gap suggests the company lacked basic intrusion detection and monitoring systems.
Why didn’t MoneyGram detect the breach sooner?
The complaint alleges MoneyGram failed to implement logging, monitoring, and alerting systems that are considered critical components of any reasonable cybersecurity program. Without intrusion detection systems, security event monitoring, or data loss prevention tools, the company had no way to see that criminals were inside their network stealing data.
What did MoneyGram initially tell the public about the breach?
MoneyGram initially called the incident a network outage rather than disclosing it was a cyberattack and data breach. This misleading characterization minimized public alarm and prevented customers from taking immediate protective action during the critical early period after their data was stolen.
What laws did MoneyGram allegedly violate?
The lawsuit alleges violations of the Federal Trade Commission Act (which prohibits unfair practices like failing to protect consumer data), California’s Consumer Privacy Act (which requires reasonable security measures), and common law duties of negligence and breach of contract. MoneyGram also allegedly failed to meet security standards in the NIST Cybersecurity Framework and FTC guidelines.
How much is my stolen data worth to criminals?
On the dark web, basic personal information packages sell for $40 to $200. Complete identity packages (called fullz) containing all the information stolen in this breach can sell for over $100 per record. Access to entire company data breaches sells for $900 to $4,500. Personal identifying information is worth more than 10 times the value of stolen credit card numbers.
What costs will I face because of this breach?
Breach victims typically face immediate costs for credit monitoring services (around $200 or more per year), fees for placing credit freezes at all three credit bureaus, potential legal fees, and lost time from work to deal with the aftermath. The lawsuit notes these monitoring costs should continue for at least seven years. If criminals use your data for fraud, you may face additional costs to dispute charges and repair credit damage.
How long am I at risk of identity theft after this breach?
The risk is long-term and potentially permanent. Government research shows criminals often hold stolen data for up to a year or more before using it, and once data is sold or posted online, fraudulent use can continue for years. Because Social Security numbers and government IDs cannot be changed, the compromised information remains exploitable indefinitely.
What can I do if I was affected by this breach?
The FTC recommends placing fraud alerts or credit freezes with all three credit bureaus, carefully monitoring your credit reports and financial accounts, disputing any fraudulent charges immediately, and considering extended fraud alerts that last seven years. You should also watch for phishing attempts using your stolen information. Additionally, you may be eligible to join the class action lawsuit seeking compensation and requiring MoneyGram to implement proper security measures.
Why are immigrants and low-income communities especially harmed?
MoneyGram is a vital service for immigrant and low-income communities who depend on it to send remittances supporting families in other countries. These populations often have limited resources to pay for credit monitoring, legal help, or to recover from identity theft. The breach erodes trust in a financial service that many people rely on as essential infrastructure, potentially making them hesitant to use legitimate financial services in the future.
What is the lawsuit asking MoneyGram to do?
The lawsuit seeks damages for affected customers and injunctive relief requiring MoneyGram to implement comprehensive security measures including: encrypting all customer data, installing intrusion detection and monitoring systems, conducting regular security audits and penetration testing, training employees on social engineering threats, implementing multi-factor authentication and access controls, and appointing an independent third party to verify compliance for seven years.
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
