What Happened in the 360training Data Breach?
360training, through its Mortgage Educators and Compliance (MEC) website, discovered a data breach on Nov. 26, 2025. The breach compromised sensitive customer information tied to payment transactions on the platform. As a result, thousands of people across the United States now face potential exposure of their financial details.
According to regulatory filings, the 360training data breach involved unauthorized access to systems holding customer payment records. The filings do not specify the exact method attackers used to gain entry. However, the presence of stolen credit and debit card numbers strongly suggests the intrusion targeted payment processing or storage systems directly.
Following discovery, 360training and MEC launched an investigation to determine the scope of the incident. This process likely involved forensic review of affected systems to confirm which records were accessed. Because the breach touched residents in multiple states, the company also had to coordinate its response with several state regulators simultaneously.
The investigation ultimately confirmed that specific categories of personal and financial data were compromised. In response, the company moved to notify both regulators and affected individuals. This notification process took several months, spanning from the November discovery date to formal consumer letters sent in February 2026.
Who was affected?
The 360training data breach affected a total of 24,594 individuals in the United States. This population appears to consist primarily of customers who used the Mortgage Educators and Compliance website for online training or certification services. Because MEC operates as an educational platform tied to mortgage licensing, affected individuals likely include mortgage professionals and students who paid for courses online.
State-level breakdowns show the impact spread across several jurisdictions. Texas had the largest reported number, with 2,391 individuals affected. Massachusetts followed with 323 individuals, New Hampshire with 145, and Maine with 49. These figures represent only the states that publicly disclosed specific counts, so the true distribution likely extends further.
Because the breach involved payment card transactions, it’s reasonable to assume affected individuals span a wide range of ages and professions. There is no indication in the available filings that the breach specifically targeted minors. Still, anyone who made a payment through the affected platform during the relevant period could be included.
What Information Was Potentially Exposed?
The 360training data breach exposed a limited but sensitive set of personal and financial data categories. This information centers primarily on payment details tied to customer transactions on the MEC platform.
- Credit card numbers
- Debit card numbers
- First and last names
- Payment card details associated with transactions
Because the exposed data includes actual card numbers rather than just names or contact details, the risk of financial fraud is significant. Criminals who obtain this information can attempt unauthorized purchases or create cloned cards. As a result, affected individuals should treat this breach as a direct threat to their financial accounts, not just a privacy inconvenience.
In addition to financial fraud, exposed names paired with card numbers can also fuel targeted phishing attempts. Scammers often use partial breach details to craft convincing messages that appear to come from a bank or card issuer. Therefore, affected individuals should stay alert not only to unauthorized charges but also to suspicious follow-up contact referencing this incident.
What is the company doing?
After discovering the breach, MEC and 360training took immediate steps to meet their legal notification obligations. The company reported the incident to multiple state attorneys general, including those in California, Maine, New Hampshire, Texas, and Vermont. It also notified the Massachusetts Office of Consumer Affairs and Business Regulation, ensuring regulators in every affected state received formal disclosure.
In addition to regulatory filings, the company sent written notification letters to affected consumers on Feb. 24, 2026. These letters explained what happened and offered guidance on protecting personal information going forward. The notice included contact information for the Federal Trade Commission and major credit bureaus, allowing recipients to place fraud alerts or credit freezes directly.
The company also informed affected individuals of their right to file a police report if they experience identity theft. Furthermore, the notice included state-specific attorney general contact information, giving consumers additional resources depending on where they live. This layered approach reflects the multi-state nature of the breach and the differing notification requirements each state imposes.
What Should Affected Individuals Do?
Monitor Your Financial Accounts Closely
Because this breach exposed actual credit and debit card numbers, affected individuals should review their financial statements right away. Look for any charges you don’t recognize, even small ones, since fraudsters sometimes test stolen cards with minor purchases first.
In addition to reviewing past statements, set up transaction alerts through your bank or card issuer if you haven’t already. This way, you’ll receive immediate notice of new charges. Consequently, you can catch and dispute fraudulent activity faster, limiting potential financial damage.
Consider a Fraud Alert or Credit Freeze
Given that payment card numbers were exposed, placing a fraud alert or credit freeze with the major credit bureaus is a smart precaution. A fraud alert requires lenders to verify your identity before opening new credit, while a credit freeze blocks new accounts from being opened in your name entirely.
To place either protection, contact Equifax, Experian, or TransUnion directly. Because a fraud alert only needs to be requested with one bureau, it’s typically faster to set up. However, a credit freeze offers stronger protection and may be worth the extra step for those exposed in this breach.
Watch for Phishing Attempts
After a breach like this, scammers often send emails or texts pretending to be from your bank, 360training, or MEC itself. These messages may ask you to confirm account details or click a suspicious link.
As a result, you should never click links or provide information in unsolicited messages referencing this breach. Instead, verify any communication by contacting your bank or the company directly through official channels. This simple habit can prevent a data breach from turning into a secondary scam.
Review Your Credit Reports Regularly
Even though this breach centered on payment card data rather than Social Security numbers, it’s still wise to check your credit reports for unusual activity. You can request free reports from each of the three major bureaus annually through AnnualCreditReport.com.
Because new account fraud can sometimes follow card theft, reviewing your reports helps catch problems early. If you notice unfamiliar accounts or inquiries, dispute them immediately with the credit bureau and consider contacting a data breach attorney for guidance on your options.
Consult a Data Breach Attorney if Needed
If you experience financial losses or ongoing fraud tied to this incident, speaking with a data breach attorney can help clarify your legal options. Many attorneys offer free consultations to review your specific situation.
Furthermore, an attorney can advise whether you may qualify to join a class action or pursue individual compensation. Given the multi-state scope of this breach, legal remedies may vary depending on where you live, so professional guidance can be especially valuable.
More Information
Official State Attorney General Notification
Official Data Breach Notification Letter (PDF)
Official State Attorney General Notification
