NCB Management Services, a US-based debt collector, exposed sensitive user financial data such as payment card numbers with security codes. The company has hinted at paying a ransom to attackers. NCB has started sending breach notification letters to affected users about a data breach that exposed nearly 1.1 million people. The US company claims that attackers penetrated its systems on February 1st. It took NCB three days to notice that the company’s systems were breached. “Recently, confidential client account information maintained by NCB was accessed by an unauthorized party. To date, we are unaware of any misuse of your information as a result of this incident,” the company’s letter to potential victims said.

According to the debt collector, it investigated which types of data were accessed up until April 19th. Information that the company provided to the Maine Attorney General shows that attackers accessed financial account numbers or payment card numbers “in combination with security code, access code, password or PIN for the account.”

Stolen financial data often ends up for sale on dark web forums so criminals can mask their illicit activities using other people’s names, essentially stealing the victim’s identity.

Curiously, NCB’s letters say that it “has obtained assurances that the unauthorized third party no longer has access to any of NCB’s data,” strongly indicating that it opted to pay whatever the attackers were asking in exchange for the stolen data.

Satellite broadcast provider DISH, another recently breached US company, also tried to reassure its affected customers by saying that it had “received confirmation that the extracted data has been deleted.”

Cybersecurity experts advise against succumbing to criminals’ demands, since organizations that do so are often targeted with subsequent attacks. The FBI and law enforcement agencies are also against ransomware payments.

NCB said that it would provide affected users with identity theft monitoring services to affected people for two years, free of charge. To read more click here.