Auto lender Industrial Acceptance Corporation (IAC) has notified 79,216 individuals that their personal data, including Social Security numbers and driver's license numbers, was stolen during a February 2025 ransomware attack claimed by the INC ransomware group. The intrusion forced IAC to take systems offline while it restored operations, and a separate group, Akira, has also publicly claimed responsibility for an attack on the company.
What Happened
According to IAC's breach notice, the company detected unauthorized activity in its network on February 24, 2025, and immediately took its systems offline to contain the incident. Subsequent investigation determined that the event was a ransomware attack claimed by the INC group, and on or around March 4, 2025, IAC confirmed that files had been exfiltrated from its environment. While INC never listed IAC on its public data leak site, a second ransomware crew, Akira, took credit for an attack on IAC in March 2025 and claims to have stolen 60 GB of company data. IAC has not publicly acknowledged Akira's claim, and it remains unclear whether the two groups operated independently, collaborated, or whether one acquired access from the other.
What Was Taken
IAC confirmed that the stolen files contained names, Social Security numbers, and driver's license numbers belonging to 79,216 individuals. This combination is among the most damaging identity-theft data sets available to criminals, supporting synthetic identity fraud, fraudulent loan applications, and tax refund fraud. Akira's claim of 60 GB of exfiltrated data, if accurate, suggests the stolen trove extends well beyond the notification dataset and may include internal financial documents, loan files, and corporate records typical of an auto lending operation. IAC is offering affected individuals 12 months of credit monitoring through Cyberscout, with enrollment closing 90 days from the date of the notice letter.
Why It Matters
Auto lenders sit on dense concentrations of consumer financial data, holding everything required to open new credit lines in a victim's name. A breach of this scale at a subprime or specialty lender provides threat actors with high-value identity packages tied to consumers who, in many cases, already have strained credit, making fraudulent activity harder to detect quickly. The dual-claim dynamic between INC and Akira also reinforces a pattern wasteland.me has tracked across 2025 and 2026, where multiple ransomware crews exploit overlapping victim pools, sometimes via shared affiliates or sequential intrusions. For defenders in the financial services sector, IAC joins a growing list of INC victims that now includes Beacon Mutual Insurance, Evolve Mortgage Services, and Ingo Money.
The Attack Technique
IAC has not disclosed the initial access vector used in the February intrusion, and Comparitech reports that it is unknown whether a ransom was paid or what either group demanded. INC, active since July 2023, is known to rely on spear phishing campaigns and the exploitation of known, unpatched vulnerabilities in internet-facing software to gain initial access. After establishing a foothold, INC's operators typically conduct lateral movement, exfiltrate sensitive data for double-extortion leverage, and deploy ransomware to encrypt critical systems. The window between IAC's detection on February 24 and confirmation of data theft on March 4 suggests attackers maintained persistent access for some time before the encryption stage triggered detection.
What Organizations Should Do
- Patch internet-facing systems aggressively, prioritizing VPN appliances, file transfer software, and remote access products, which INC and Akira routinely target.
- Harden email defenses against spear phishing with strong inbound filtering, attachment sandboxing, and DMARC enforcement, and require phishing-resistant MFA on every account that can reach corporate resources.
- Deploy and tune EDR with behavioral detections for credential dumping, scheduled task abuse, and unusual PowerShell activity, and ensure 24/7 monitoring so that lateral movement is caught before staging completes.
- Segment customer PII and loan origination systems from general corporate networks, and apply data loss prevention controls on outbound traffic to detect bulk exfiltration over web, cloud storage, and file transfer channels.
- Maintain immutable, offline backups and regularly rehearse restoration procedures so that an encryption event does not force prolonged downtime or push leadership toward ransom payment.
- Subscribe to threat intelligence feeds covering INC and Akira indicators, and proactively hunt for their known tools, droppers, and command-and-control infrastructure across historical logs.
Sources: Auto lender IAC warns 79,000+ people of data breach that leaked SSNs - Comparitech