Another significant data breach is making headlines — this time impacting nearly 2 million individuals through a third-party debt collection agency, Financial Business and Consumer Solutions (FBCS).

The company, which specializes in collecting consumer debts on behalf of creditors, discovered unauthorized access to parts of its network on February 26, 2024. According to filings with the Maine Attorney General’s Office, this breach may have compromised names, birth dates, Social Security numbers, and account information.

That’s a heavy combination of personal identifiers — and it’s the kind of data that criminals can use to launch identity theft or financial fraud.

---

What We Know So Far

FBCS reported that the intrusion lasted from February 14 to February 26, during which time a third party accessed or potentially exfiltrated sensitive data. The company says it has not seen evidence of misuse so far — but that doesn’t mean the risk has passed.

Here’s a breakdown of key details:

• Incident timeline: Unauthorized access took place over a 12-day window in February.
• Discovered: February 26, 2024.
• Number of individuals affected: Up to 1,955,385.
• Data exposed: Name, date of birth, Social Security number, and account-related information.
• Notifications began: April 4, 2024, with help from FBCS client organizations.
• Credit monitoring: 12 months of free credit monitoring is being offered.

---

Why This Matters to Security Teams

This breach hits a critical intersection of third-party risk and sensitive personal data — and it’s a clear signal that even companies that aren’t direct data holders still represent major risk vectors.

We’ve seen time and time again that third-party vendors are a soft target, and attackers know it. In this case, FBCS was acting as a data processor for client organizations — and their exposure has now potentially rippled through the privacy of nearly two million individuals.