Crypto ATM operator Bitcoin Depot has only just notified its users of a data breach from mid-last year that exposed the private information of nearly 27,000 customers.

In a notice to customers filed with attorneys general in Maine and Massachusetts on Monday, Bitcoin Depot said a total of 26,732 users’ data was affected by an “external system breach” that happened on June 23, 2024.

A Bitcoin Depot spokesperson told Cointelegraph that “at the direction of federal law enforcement, we were asked to delay notification due to an active investigation into the third party responsible for the breach.”

The company’s notice said law enforcement advised it on June 13 that an investigation into the matter was complete, with the spokesperson adding it was “recently cleared to begin notifying those affected.”

Crypto and tech companies are often targeted by hackers, who so far this year have exposed over 16 billion login credentials to popular online services that were uncovered in late June and stole user data from the crypto exchange Coinbase in May.

Names, addresses exposed, but “no evidence” of misuse

Bitcoin Depot said in its notice to customers that the breach involved their name, phone number, driver’s license number and could have also included addresses, birth dates and emails.

“There is no evidence of customer information being misused,” Bitcoin Depot’s spokesperson said. “We remain committed to protecting customer data and privacy.”

The company has told customers to monitor their credit reports, report any suspicious activity and create fraud alerts and security freezes with credit agencies that will tell creditors to take extra precautions before opening or changing credit accounts in their name.

Hacker broke into Bitcoin Depot’s system

Bitcoin Depot’s spokesperson said that in June 2024, the company had “detected unusual activity on its network and immediately launched an investigation with a leading cybersecurity firm.”

On July 18, 2024, the cybersecurity firm finished its investigation and “confirmed that an unauthorized party accessed files containing personal information of certain customers,” according to the spokesperson and the customer notice.

The company did not provide further details but said in its notice that it is cooperating with law enforcement over the incident and has “taken steps to prevent a recurrence by enhancing security measures and security monitoring and increasing company awareness of data security protection.”

String of data leaks

Hackers have targeted Bitcoin ATM operators before, with Byte Federal disclosing a data breach in December that potentially affected 58,000 customers after a vulnerability in software provided by a third party was exploited.

It said it immediately shut down its platform and assured that no user assets or funds had been compromised.

Coinbase said in May it was also targeted by bad actors earlier this year who bribed third-party contractors to the crypto exchange for its customers’ information.

The company said it rejected a $20 million ransom demand after hackers leaked user data in mid-May.

Magazine: Coinbase hack shows the law probably won’t protect you — Here’s why