Vacation Myrtle Beach Data Breach Exposes Social Security Numbers and Financial Information

Other Commercial data breach illustration
Breach Discovery: 16th June 2025Breach Notification: 15th May 2026

What Happened in the Vacation Myrtle Beach Data Breach?

Vacation Myrtle Beach, a large oceanfront resort group based in South Carolina, has disclosed a data breach affecting thousands of people. The company detected suspicious activity in its network environment on June 16, 2025. As a result, it moved quickly to secure its systems and launch a formal investigation.

Just days later, on June 19, 2025, a ransomware group known as PLAY posted a claim on the dark web. The group stated it had obtained data from Vacation Myrtle Beach and threatened to publish the stolen files on June 23, 2025. According to the group’s claims, the stolen data included private and confidential records, client documents, budget information, payroll records, accounting data, tax information, identification documents and financial information.

Following this threat, Vacation Myrtle Beach brought in independent forensic experts to determine the scope of the incident. The investigation confirmed that certain data had likely been acquired without authorization. Because of this finding, the company engaged an additional independent team to conduct a comprehensive review of every affected file. This review ultimately identified the specific categories of personal information involved.

Who was affected?

The breach affected approximately 10,750 people across the United States. This includes 7,738 South Carolina residents, 22 Indiana residents, four Maine residents and six Vermont residents identified so far. Given the company’s role as a resort operator, those affected likely include guests, clients and possibly employees whose information was stored in Vacation Myrtle Beach’s systems.

The presence of payroll and accounting records among the data the attackers claimed to access suggests employees may be affected in addition to customers. The company has not publicly disclosed a further breakdown between guest and staff records. Because the breach touched multiple states, the incident carries a broad geographic footprint that extends well beyond South Carolina’s coastline.

What Information Was Potentially Exposed?

The investigation confirmed that a range of sensitive personal information was compromised in this breach. This is significant because it goes beyond basic contact details into information that can directly enable identity theft or financial fraud.

  • Full names
  • Social Security numbers
  • Driver’s license numbers or state identification numbers
  • Financial account information, including credit and debit account data
  • Passport numbers
  • Protected health information (PHI) in the form of health records

Because Social Security numbers and driver’s license numbers were exposed, affected individuals face a heightened risk of identity theft. Criminals can use this combination of data to open new credit accounts, file fraudulent tax returns or apply for loans in someone else’s name. This type of fraud can be difficult to detect right away and may take months to fully unwind.

In addition, the exposure of financial account information and passport numbers raises the risk of direct financial fraud and travel document fraud. Someone with access to both a passport number and a Social Security number could attempt to impersonate the victim in high-stakes transactions. Meanwhile, the potential exposure of health records means some individuals could also face medical identity theft, where a criminal uses stolen health information to obtain treatment or file false insurance claims.

What is the company doing?

After discovering the suspicious activity, Vacation Myrtle Beach took immediate steps to secure its network. The company then worked with independent forensic experts throughout the investigation to understand exactly what happened and which files were affected. This process ultimately led to a detailed review of every impacted record.

As a result of its findings, Vacation Myrtle Beach began notifying affected individuals by mail on May 15, 2026. The company is also offering complimentary credit monitoring and identity protection services through Cyberscout, a TransUnion company. Affected individuals can enroll within 90 days of the date on their notification letter using the enrollment code provided in that letter.

What Should Affected Individuals Do?

Enroll in Credit Monitoring and Identity Protection

Anyone who received a notification letter should enroll in the complimentary credit monitoring and identity protection services being offered. This service is provided through Cyberscout and can help detect suspicious activity early. Enrollment must happen within 90 days of the letter’s date, so acting quickly matters.

To sign up, affected individuals should visit Cyberscout’s enrollment page and enter the unique code included in their letter. For questions about the process, TransUnion operates a dedicated help line staffed Monday through Friday. This service offers a straightforward first line of defense while the fuller effects of the breach become clear.

Place a Fraud Alert or Credit Freeze

Because Social Security numbers and financial account data were exposed, placing a fraud alert or credit freeze is a strong next step. A credit freeze restricts new creditors from accessing a credit report, which makes it much harder for a criminal to open new accounts. This can be done by contacting Equifax, Experian or TransUnion directly.

A fraud alert, meanwhile, requires creditors to take extra verification steps before issuing new credit in someone’s name. Both options are free and can be lifted later once the risk has passed. For those affected by this breach, either step adds meaningful protection against the specific type of fraud these stolen records could enable.

Monitor Financial Accounts and Credit Reports Closely

Affected individuals should also review their credit reports for any unfamiliar activity. Free copies are available from all three major credit bureaus through AnnualCreditReport.com. Because fraudulent accounts can sometimes go unnoticed for months, checking reports regularly is an important habit going forward.

In addition to credit reports, it helps to monitor bank and credit card statements closely for unauthorized transactions. Any suspicious charges should be reported to the financial institution immediately. Early detection often makes the difference between a quickly resolved issue and a much longer fraud recovery process.

Protect Against Passport and Medical Fraud

Since passport numbers were among the data potentially exposed, affected individuals should stay alert for signs of passport fraud. If any suspicious activity involving a passport is discovered, the U.S. State Department should be contacted right away. This type of fraud is less common but can be serious if it occurs.

Because health records were also potentially exposed, individuals should watch their medical bills and insurance statements for unfamiliar claims or services. This can be an early warning sign of medical identity theft. Anyone who notices unusual insurance activity should contact their health insurer and healthcare providers promptly to dispute the charges.

Stay Alert for Phishing Attempts and Report Identity Theft

Scammers often use news of a data breach to craft convincing phishing messages. Affected individuals should be cautious of any emails, calls or texts referencing Vacation Myrtle Beach or this incident specifically. Legitimate companies will not ask for sensitive information over unsolicited messages.

If identity theft is suspected at any point, it should be reported to the Federal Trade Commission through its official website or by phone. Filing a report creates an official record that can help with disputing fraudulent accounts later. For those overwhelmed by the process, consulting a data breach attorney for a free case evaluation can help clarify legal options and next steps.



More Information

Official Notice from Vacationmyrtlebeach

Official Data Breach Notification Letter (PDF)

Official Data Breach Notification Letter (PDF)

Official Notice from Maine

Official Notice from Vermont

Official Notice from Cyberscout

Related Data Breaches