Check City, a cash loan provider operating across Utah, Nevada, and other states, disclosed on March 25 that an unauthorized actor accessed its network and may have obtained records containing Social Security numbers, financial account details, payment card information, driver's license numbers, dates of birth, and home addresses of thousands of borrowers.
If you're a Check City customer, here's what to do right now: freeze your credit at all three bureaus (Equifax, Experian, TransUnion), place a fraud alert, and monitor your bank and card statements for unfamiliar transactions. Don't wait for a notification letter.
What we know
The disclosure came via a GlobeNewswire announcement on March 25, tied to an investigation by Lynch Carpenter, LLP, a national class action firm with offices in Pennsylvania, California, and Illinois that specializes in data privacy litigation. According to the announcement, an unauthorized person gained access to Check City's network and "may have acquired records containing personally identifiable information."
The data types at risk, according to Lynch Carpenter's disclosure:
- Full names
- Home addresses
- Social Security numbers
- Driver's license or government-issued ID numbers
- Financial account information
- Payment card information
- Dates of birth
That's the full identity theft starter kit. SSNs combined with dates of birth and financial account numbers give an attacker everything needed to open fraudulent accounts, file false tax returns, or drain existing accounts.
What we don't know
Check City itself has not published a public breach notice on its website as of March 26. The company has not disclosed when the intrusion actually occurred, how long the attacker had access, how many individuals are affected beyond "thousands," or what the initial access vector was. There's no mention of credit monitoring being offered to affected individuals, which is notable given the sensitivity of the exposed data.
Rankiteo, a cybersecurity ratings firm, assigned the incident a severity score of 85 out of 100 and an impact rating of 4, categorizing it as an "attack with significant impact with customers data leaks."
The absence of detail from Check City is worth noting. Utah's Protection of Personal Information Act (Utah Code 13-44-101) requires entities doing business in the state to notify affected individuals "in the most expedient time possible without unreasonable delay" after determining the scope of a breach. Whether Check City has sent individual notification letters to affected borrowers is unclear from public reporting.
