Vacation Myrtle Beach Data Breach Exposes PHI and PII of 10k

Vacation Myrtle Beach, a large oceanfront resort group in South Carolina, has disclosed a data breach that affected approximately 10,750 people in the United States, including four Maine residents and six Vermont residents identified as affected.

Vacation Myrtle Beach mailed out notification letters on May 15, 2026.

On June 16, 2025, Vacation Myrtle Beach became aware of suspicious activity in its network environment, according to the company's notification to consumers. The company took steps to secure its network and launched an investigation with the help of independent forensic experts to determine the scope of the incident.

On June 19, 2025, the ransomware group known as PLAY posted a claim on the dark web. The group stated it had obtained data from Vacation Myrtle Beach and announced plans to publish the stolen information on June 23, 2025.

The group claimed to have compromised data such as private and personal confidential data, client documents, budget information, payroll records, accounting data, tax information, identification documents and financial information.

The company's investigation determined that certain data may have been acquired without authorization.

Vacation Myrtle Beach then engaged an independent team to conduct a comprehensive review of the affected files.

The types of personally identifiable information (PII) confirmed to have been exposed varied may have included names, Social Security numbers, driver's license numbers or state identification numbers, financial account information (including credit and debit account data) and passport numbers.

The breach also potentially exposed protected health information (PHI) in the form of health records.

Vacation Myrtle Beach's response to the breach

The company is offering affected individuals complimentary credit monitoring and identity protection services through Cyberscout, a TransUnion company. Affected individuals can enroll within 90 days of the date of their notification letter by visiting Cyberscout's enrollment page and entering the unique enrollment code included in their letter.

For questions about the incident, affected individuals can call TransUnion's dedicated help line at 1-877-424-7790, Monday through Friday from 8 a.m. to 8 p.m. Eastern Time, excluding holidays.

Steps to take if your information was exposed

• Place a fraud alert or security freeze on credit files by contacting Equifax (1-800-525-6285), Experian (1-888-397-3742) or TransUnion (1-833-799-5355).
• Review credit reports for unfamiliar activity by requesting free copies from all three major credit bureaus at AnnualCreditReport.com.
• Monitor bank and financial account statements closely for unauthorized transactions and report any suspicious charges to the financial institution right away.
• Be alert for potential passport fraud and contact the U.S. State Department if any suspicious activity involving a passport is detected.
• Watch for phishing attempts that reference Vacation Myrtle Beach or this data breach by name, as scammers may use the incident to trick people into sharing more personal information.
• Report any suspected identity theft to the Federal Trade Commission at consumer.ftc.gov or by calling 877-438-4338.