> The threat actor appears to have obtained this information by paying multiple contractors or employees working in support roles outside the United States

yea that is what they get. Hope this hurts them bad.

At my last job for a "casual dating" app, all new account verification stuff was sent to some shop in the Philippines. I got involved with troubleshooting some random DB locks that were causing down time. Ended up discovering that this firm tried to automate the verification process with some scripts or something that would sometimes go haywire and send over 100 requests per second to the new account admin portal which would bring down the entire site. Management just asked them nicely to be more careful which brought the peaks down to 80 requests per second which the back end seemed to be able to cope with (just barely). They couldn't careless that there were supposed to be humans looking at this data and they were clearly trying to automate that part out. Even worse, once I started looking at the data that was in the portal, it was credit card name and billing addresses, and DL license or passport scans. Before I could really further fix the performance issue, I was laid off. Then a few months later they did another lay off which cleaned out every american employee. This was an american company that had ~150 american employees and now there are none. Just two execs at the top that get to watch the money roll in while they farm out everything to overseas. Really pisses me off bad >:(

It will happen (at least attempted) with on-shore support staff too, My next door neighbour used to work for a UK high street bank and even there support staff were approached, with some of them first befriended, and eventually bribed in to passing along PII. No doubt it happens in the US too. Just costs the bad guys more.