Data breach at auto lender Industrial Acceptance Corporation affects nearly 80,000 people

Connecticut-based auto financing company, Industrial Acceptance Corporation, said a data breach incident in 2025 compromised the sensitive personal information of nearly 80,000 individuals.

 

Headquartered in New Haven, Connecticut, Industrial Acceptance Corporation (IAC) is a consumer finance company that provides financing solutions for automotive and other consumer purchases. Through partnerships with retailers and customers, the company offers accessible credit products and flexible lending programs across a range of industries.

 

In a data security incident notice filed with the Office of Maine Attorney General, IAC said that on February 24, 2025, it detected unauthorised activity within its internal network. The company immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

“On or around March 4, 2025, IAC learned that files were taken from our network by an unauthorised actor. We commenced a detailed review of the files involved to understand the data potentially involved, whether those files contained personal information, and if so, to whom the data related. This review was completed on May 11, 2026,” IAC said.

 

The compromised data included names, and other personal identifiers including Social Security numbers. The filing with the Maine state regulator also states that IAC has identified at least 79,216 individuals who were impacted by the incident.

 

In a press release, the company said it completed its investigation into the data breach incident on May 11, 2026, and was able to determine that the incident compromised customers’ names, dates of birth, Social Security numbers, financial account or payment card numbers, and/or driver’s license or other state identification numbers.

 

“Upon becoming aware of the event, we took immediate steps to secure our systems, and we reported the event to federal law enforcement,” IAC added. It has also offered one year of complimentary identity protection and credit monitoring services through CyberSteward to all affected individuals.

 

The auto financing company has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general.

The Akira ransomware group later claimed responsibility for the cyber attack on IAC and listed the company as a victim on its data leak site. The group claimed it had obtained 60GB of confidential data including financial data, health condition certificates, internal correspondence, and more.

 

Contrary to the Akira ransomware group’s claims, in its filing with the Maine state regulator, IAC said that it suffered a ransomware attack carried out by the INC Ransom ransomware group. To date, INC Ransom has not publicly acknowledged its involvement in the breach incident.