Xactus LLC recently disclosed a data breach affecting consumers’ personal information after an unauthorized party gained access to a company email account.
On February 14, 2025, Xactus filed a notice of data breach with the Attorney General of Massachusetts, revealing that an unauthorized actor accessed an employee’s email account. As a result, sensitive consumer information—including names, financial account details, and driver’s license numbers—was exposed. The company has since begun notifying affected individuals.
Xactus first detected suspicious activity in its email system on July 15, 2024, prompting an immediate security response. A subsequent investigation confirmed that an unauthorized party accessed a company email account between June 26 and July 15, 2024. While the breach was contained within an hour of discovery, the attacker had already accessed confidential consumer data. By November 25, 2024, Xactus completed its review of compromised files and began locating affected individuals, concluding the process by January 15, 2025. The company officially sent data breach notification letters on February 14, 2025, detailing what information was exposed.
In its data breach notice, Xactus reported that on July 15, 2024, it identified “suspicious activity in its email tenant” and launched an investigation with third-party forensic specialists. The investigation found that “there were intermittent periods of unauthorized access to one email account between June 26, 2024, and July 15, 2024.” Although the unauthorized access was “detected and removed within an hour of discovery,” the investigation determined that the actor had “acquired certain information stored in this account.”
In response, Xactus stated it “takes the confidentiality, privacy, and security of information in its care very seriously” and is offering “complimentary credit monitoring and identity restoration services through IDX for twenty-four (24) months.” Impacted individuals must enroll by May 14, 2025.
Xactus advised individuals to remain vigilant by “reviewing your account statements and monitoring your free credit reports for suspicious activity and to detect errors over the next 12 to 24 months.”
The Xactus data breach raises concerns about financial fraud and identity theft, as exposed information could be exploited by cybercriminals. Affected individuals are encouraged to monitor their accounts, report suspicious activity, and seek legal guidance on protecting their personal data.
See also: HIPAA Compliant Email: The Definitive Guide
If your personal information is exposed in a data breach, cybercriminals may use it for identity theft, financial fraud, or phishing scams. This could result in unauthorized transactions, compromised accounts, or fraudulent use of your personal details.
To minimize your risk, follow these best practices:
In some cases, affected individuals may have legal options, especially if the breach resulted from inadequate security measures. If your data has been compromised, consulting a data breach attorney can help you understand your rights and potential next steps.