MoneyGram Left Your Social Security Number Unlocked. Hackers Walked Right In.

EvilCorporations.com • Case No. 3:24-cv-02572, N.D. Tex. • 37 min read

How a Phone Call Unlocked MoneyGram’s Entire Network

MoneyGram is one of the largest money transfer companies on the planet, operating in more than 200 countries and territories across more than 430,000 locations. The data breach that compromised its customers’ most sensitive information was not stopped by any of MoneyGram’s claimed “robust safeguards.” It was enabled by a single phone call to the wrong person.

• September 20–22, 2024: Cybercriminals conducted a social engineering attack on MoneyGram’s IT helpdesk. They impersonated a MoneyGram employee, convinced helpdesk staff to grant access to that employee’s account, and then used that access to remotely connect to MoneyGram’s internal information systems.
• Target: Windows Active Directory. Once inside, the attackers went directly for MoneyGram’s Windows Active Directory systems. Active Directory is the backbone of enterprise network access control. Owning it means owning the network.
• MoneyGram did not detect the attack until September 27, 2024, five days after the intrusion had already concluded. The hackers had completed their work, exfiltrated the data, and left before anyone at MoneyGram noticed anything was wrong.
• The company initially characterized the event as a “network outage,” not a data breach. It took public pressure and reporting from outlets like BleepingComputer and USA TODAY before MoneyGram acknowledged that customer data had been stolen.
• MoneyGram then “proactively” took certain systems offline to contain the damage, a move that caused its services to go dark for customers who depended on them, including people sending money to pay bills, rent, or family abroad.
• The stolen data categories confirmed by MoneyGram and cited in the lawsuit: names, Social Security numbers, government-issued identification details, bank account information, transaction records, email addresses, postal addresses, phone numbers, utility bills, MoneyGram Plus Rewards information, and criminal investigation information for a subset of customers.

Every Category of Data That Was Stolen — And What Criminals Can Do With It

MoneyGram collected extraordinarily sensitive data as a condition of its service. Every category of that data was exposed. Each category listed below corresponds to a documented type of fraud that criminals can and do execute.

• Social Security Numbers: The master key to a person’s financial identity. Cannot be changed under most circumstances. Enables new credit accounts, tax fraud, government benefit theft, and medical identity theft. Worth more than 10x a stolen credit card number on the black market, according to cybersecurity firm RedSeal.
• Government Identification Details: Driver’s license numbers, passport numbers, alien registration numbers. Used to bypass identity verification at banks, loan companies, and government agencies.
• Bank Account Information: Enables direct account takeover, unauthorized wire transfers, and ACH fraud. Unlike credit cards, bank account losses are significantly harder to reverse.
• Transaction Information: Reveals financial behavior patterns, regular recipients, and amounts. Enables targeted social engineering against victims and their contacts.
• Utility Bills: Utility documents are used as proof of address. Criminals use them to verify identity during account takeover attempts and to open fraudulent new accounts in victims’ names.
• MoneyGram Plus Rewards Information: Account history and loyalty data. Provides a blueprint of a customer’s transaction patterns and can be used to hijack accounts directly.
• Criminal Investigation Information: Confirmed stolen for a subset of customers. This category of data is among the most sensitive that exists. Its exposure could have serious consequences for individuals involved in ongoing legal matters.
• PII sold on the dark web ranges from $40 to $200 per individual record. Complete “Fullz” packages, which combine multiple categories of the type stolen here, command up to $100 per record or more. Access to entire company data breach archives sells for $900 to $4,500.

What This Actually Costs Real People

Armando Reyes lives in Mission Viejo, California. He used MoneyGram to send money, the way millions of working people do, to pay bills, support family, handle obligations that cannot wait. When MoneyGram took its own systems offline to contain the damage from the breach, his transfer was held for eight days. Eight days. The bills that transfer was meant to pay went unpaid during that window. Late fees followed. He was penalized financially for a failure that was entirely MoneyGram’s.

This is the part of the story that never fits neatly into a damages calculation. MoneyGram’s customers are not primarily wealthy people with diversified financial cushions. They are people who use money transfer services because that is how they move money. Often urgently. Often internationally. Often to family members who depend on it arriving on time. An eight-day delay is not a minor inconvenience. It is rent not paid. It is a parent abroad who doesn’t receive the money they were counting on. It is a utility shut-off notice. It is late fees on top of the original bill.

Beyond Reyes, tens of thousands of people now carry the weight of knowing that their Social Security number, the one number issued to them by the government that cannot easily be replaced, is in the hands of criminals. They did not consent to this. They gave that information to MoneyGram because MoneyGram required it as a condition of service. They had no meaningful choice. Use the service, hand over your most sensitive data, and trust that the company will protect it. MoneyGram promised it would. It did not.

The class action documents confirm that victims are expected to spend hours, possibly days, over the coming months contacting credit bureaus, placing fraud alerts, reviewing accounts, changing passwords, freezing credit, and monitoring for signs of identity theft that might not show up for a year or more. The U.S. Government Accountability Office has documented that stolen data can sit for up to a year before criminals deploy it. That means every person affected by this breach now lives with an open threat that has no defined end date.

Some affected customers had criminal investigation information in MoneyGram’s system. The complaint does not specify what that means in every case. It could mean records of fraud investigations, background checks, or government-reported activity. Whatever the specifics, that category of information is among the most sensitive that any person can have exposed. The consequences of its unauthorized release are uniquely unpredictable and potentially severe.

Credit and identity monitoring services, which the lawsuit describes as a reasonable and necessary response, cost $200 or more per person per year. Plaintiffs argue this cost should last a minimum of seven years. That is $1,400 per person, minimum, in defensive costs they are now forced to carry because MoneyGram did not do its job. MoneyGram collected fees for its service. It collected the data. It made the promises. The people it failed are now paying a tax on that failure, in time, money, anxiety, and the persistent low-grade dread of waiting to find out what someone does with their stolen identity next.

What the Court Documents Actually Say

These are verbatim statements from the class action complaint filed October 14, 2024. No paraphrasing. No interpretation added in advance. The evidence speaks for itself.

“We use a variety of robust physical, technical, organizational, and administrative safeguards to protect your personal data from unauthorized access, loss or alteration.”

• This is a direct quote from MoneyGram’s own global privacy notice, cited verbatim in the complaint (paragraph 9). MoneyGram made this promise to every customer whose data it collected.
• The breach proves this statement was false. Hackers impersonated an employee on a phone call and gained access. There was no multi-factor authentication barrier that stopped them, no behavioral monitoring that flagged the social engineering attack, and no logging system that caught the intrusion for five days after it ended.

“[L]aw enforcement officials told us that in some cases, stolen data may be held for up to a year or more before being used to commit identity theft. Further, once stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years.”

• This is a direct quote from a U.S. Government Accountability Office report, cited in the complaint (paragraph 34), to establish that the harm from this breach is not a one-time event. It is a sustained, multi-year threat.
• The complaint uses this to support the argument that victims’ damages extend far beyond what has already occurred and that the risk cannot be bounded by a short remediation window.

“Plaintiff Reyes attempted to send a money transfer using MoneyGram, but the funds were delayed for eight days because of Defendant’s systems outages that occurred because of the Data Breach. The delay was particularly harmful because it caused Mr. Reyes to be incur late fees for the bills the transfer was meant to pay.”

• This is the documented, specific harm suffered by the named plaintiff (paragraph 82). It establishes that the damage from this breach is not hypothetical or future-tense only. It is concrete and already realized.
• It also demonstrates that MoneyGram’s decision to take its own systems offline as a containment measure had direct, measurable financial consequences for the customers who depended on those systems.

“The infiltration occurred between September 20 and September 22, 2024, but Defendant did not discover the Data Breach until September 27, 2024.”

• This five-day detection gap (paragraph 3) is central to the negligence claim. Industry-standard cybersecurity tools, specifically endpoint detection and response (EDR/XDR) systems, data loss prevention tools, and centralized security event management, are designed precisely to prevent this kind of invisible exfiltration.
• The complaint argues that the delayed detection is itself evidence of MoneyGram’s failure to implement reasonable monitoring systems, which are described in the complaint as “critical components of any reasonable cybersecurity program” and “expected industry standards.”

“Upon information and belief Defendant failed to meet the minimum standards of one or more of the following frameworks: the NIST Cybersecurity Framework Version 1.1 (including without limitation PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.AT-1, PR.DS-1, PR.DS-5, PR.PT-1, PR.PT-3, DE.CM-1, DE.CM-4, DE.CM-7, DE.CM-8, and RS.CO-2), and the Center for Internet Security’s Critical Security Controls.”

• This is paragraph 45 of the complaint. NIST and CIS frameworks are not optional aspirations; they are the documented, widely adopted standards against which courts and regulators measure cybersecurity adequacy.
• The specific NIST codes cited govern access control, employee training, data security, protective technology, anomaly detection, continuous monitoring, malicious code detection, and communications during a response. Every category listed maps directly to a failure visible in this breach.

What MoneyGram Told You vs. What Actually Happened

Who Gets Hurt, How, and For How Long

Public Health: The Hidden Toll of Identity Theft

Identity theft and the sustained anxiety of living under an open threat have documented psychological and physical consequences. The people affected by this breach are not just managing a one-time inconvenience; they are managing a chronic, open-ended stressor.

• The lead plaintiff Armando Reyes specifically documents “emotional distress” and “stress and anxiety due to increased concerns for the loss of his privacy” (complaint ¶¶ 75, 77). These are not rhetorical claims; they are pleaded injuries in a federal lawsuit.
• Affected customers now face an indefinite period of hypervigilance, including regularly monitoring credit reports, bank statements, health insurance claims, and tax filings for signs of fraud. This sustained cognitive load has measurable health consequences, particularly for lower-income individuals who cannot easily absorb the financial and time costs of ongoing monitoring.
• Customers whose criminal investigation information was exposed face a uniquely unpredictable harm. The disclosure of that category of data can affect employment, housing, immigration status, and ongoing legal proceedings in ways that are nearly impossible to fully anticipate or mitigate.
• Medical identity theft is an established downstream risk from the type of data stolen here. When criminals use a victim’s identity to access healthcare, the fraudulent entries in medical records can affect future care decisions and insurance eligibility.

Economic Inequality: Who Pays the Price for Corporate Negligence

MoneyGram’s customer base skews toward people who need money transfer services, workers sending remittances, immigrants supporting family abroad, and lower-income households without access to traditional banking infrastructure. These are not people with financial buffers to absorb the cost of identity theft.

• The complaint establishes that credit monitoring costs $200 or more per person per year (¶ 69) and argues this cost is necessary for a minimum of seven years. That is a $1,400 minimum per-person defensive expenditure that falls entirely on victims, not on MoneyGram.
• The eight-day service outage following the breach directly harmed Reyes financially with late fees on bills. For customers with thin financial margins, an eight-day delay in a money transfer is not a minor inconvenience. It is a cascading financial event.
• Under California law cited in the complaint, statutory damages of up to $750 per affected individual are available under the CCPA. With tens of thousands of potential class members and an amount in controversy exceeding $5,000,000, the lawsuit argues that the aggregate harm is enormous, yet no individual has the resources to litigate alone.
• The complaint notes that the data brokerage industry was worth roughly $200 billion in 2019 (¶ 60). The PII that was stolen from these customers had real market value. That value was transferred to criminals without any compensation to the individuals whose data it was. This is an economic extraction with no return.
• Dark web buyers do not pay once and stop. Fullz packages are resold repeatedly to multiple criminal operators, each of whom uses the data to run independent fraud operations against the same victims. The economic harm compounds with each resale.
• Stolen Social Security numbers can be used for tax refund fraud, which means victims may face delayed IRS refunds or complex resolution processes that require professional help, including tax attorneys or CPAs, costs that fall entirely on them.

Put a Number on It

The Security Program MoneyGram Was Supposed to Run

What Now: Who to Hold Accountable and How to Protect Yourself

The class action is filed and the legal machine is moving. Here is what you can do right now if you used MoneyGram and believe your data was compromised, and here is who to contact to demand accountability.

Watchlist: Regulatory Bodies with Jurisdiction Over This Case

• Federal Trade Commission (FTC): The FTC has explicit authority under Section 5 of the FTC Act to pursue MoneyGram for failure to maintain reasonable data security practices. The complaint cites the FTC Act as the primary legal basis for the negligence per se claim. File a complaint at ftc.gov/complaint.
• California Attorney General (CCPA Enforcement): The complaint includes a California Consumer Privacy Act (CCPA) claim. The California AG has enforcement power over CCPA violations by companies with over $25 million in annual revenue, which MoneyGram easily meets. Contact: oag.ca.gov/privacy/ccpa.
• Consumer Financial Protection Bureau (CFPB): MoneyGram is a financial services company subject to CFPB oversight. The CFPB has authority over unfair, deceptive, or abusive practices in consumer financial services. Submit a complaint at consumerfinance.gov/complaint.
• Financial Crimes Enforcement Network (FinCEN): As a major money services business, MoneyGram operates under FinCEN oversight. Systemic security failures that expose transaction data are relevant to FinCEN’s mandate. Contact: fincen.gov.
• State Attorneys General in Your State: Most states have their own data breach notification laws and consumer protection statutes. Contact your state AG’s consumer protection division to report the breach and ask about state-level remedies.

Take These Steps Now if Your Data Was Exposed

• Place a credit freeze immediately at all three major bureaus: Equifax (equifax.com), Experian (experian.com), and TransUnion (transunion.com). A freeze is free and blocks new accounts from being opened in your name. This is the single most effective defensive action available.
• Place a fraud alert with one bureau (they are required to notify the others). An extended fraud alert lasts seven years and requires creditors to take extra steps to verify your identity before opening new accounts.
• File your taxes as early as possible this year and every year going forward. Tax refund fraud using stolen SSNs is one of the most common and fastest-occurring forms of identity theft after a breach.
• Review your Social Security earnings record at ssa.gov. If someone is working using your SSN, it will appear in your earnings history and affect your future benefits.
• Join or monitor the class action. Case No. 3:24-cv-02572 is filed in the Northern District of Texas. If you received a notification from MoneyGram that your data was affected, you are a potential class member. Contact plaintiff’s counsel: Kendall Law Group (jkendall@kendalllawgroup.com, 214-744-3000) or Stranch, Jennings & Garvey (gstranch@stranchlaw.com).
• Connect with local mutual aid networks that provide support for identity theft victims, particularly immigrant communities and lower-income households that disproportionately use remittance services. These networks often have volunteers with experience navigating credit freezes, fraud disputes, and IRS identity protection PINs.
• Demand encryption and security audits from every financial service you use. Ask the company in writing whether your PII is stored encrypted. Document their response. If they cannot confirm encryption, your data is at risk with them too.