International credit bureau TransUnion confirmed this morning that it has been the victim of a hack by a “criminal third party” and will not be paying the extortion demand that was received.
Criminal hacking group N4aughtysecTU, allegedly based in Brazil, has claimed responsibility, alleging that it has accessed the personal information of 54 million consumers, amounting to roughly 4TB (four terabytes) of data. TransUnion says the hacking group obtained access via the misuse of an authorised client’s credentials and the relevant account has been suspended. United Nations Data currently peg the South African population at 60.6 million people.
An off-the-record source told Daily Maverick that TransUnion believes the 54 million records relate to a 2017 data incident unrelated to TransUnion.
The global consumer credit bureau says it will be offering “impacted consumers” an annual subscription to its identity protection product, TrueIdentity, free of charge, at a cost to it of R499 per person. If all 54 million hacked accounts receive this protection, the company’s cost will be a staggering R27 billion. Weirdly, the alleged extortion demand has been reported in various media at between R223 million and R225 million.
The breach affects all South Africans who have taken on credit agreements, regardless of the loan size. When you enter into agreements with your banks or other financial institutions, credit card companies, auto lenders, utilities or other creditors, you automatically consent to sharing credit and payment history with the credit bureaus. These agreements outline the fact that your account information and payment history will be reported to the credit reporting agencies.
A statement on the TransUnion website says:
- The incident impacted an isolated server holding limited data from our South African business.
- Our team is working closely with external experts to gain an understanding of what data was affected.
- The affected data may include consumer information, such as telephone numbers, email addresses, identity numbers, physical addresses and a few credit scores.
Once the hacking attempt was identified late this week, TransUnion took “certain elements” of its services offline. However, these services have since resumed. A source noted that since the data was not being held back by the hackers for a ransom, the attempt is being treated as extortion rather than a ransomware demand.
“The security and protection of the information we hold is TransUnion’s top priority,” said Lee Naik, CEO of TransUnion South Africa. “We understand that situations like these can be unsettling, and TransUnion South Africa remains committed to assisting anyone whose information may have been affected.”
Johann van Tonder, Senior Policy Adviser at the Association for Savings and Investment South Africa (Asisa), says since a number of Asisa members make use of the TransUnion credit verification services, there is a high possibility that the compromised information includes personal details of South African life assurance policyholders and investors.
“While it appears that the client information obtained by the hackers is limited to names, contact details and ID numbers, we are concerned that this could be used by criminals to trick consumers into sharing account passwords,” he says.
Van Tonder says the financial sector is very aware of the risks of the constant cybersecurity threats facing the industry. Asisa has already established a Cyber Security Incident Response Team with the aim of helping member companies combat threats to cybersecurity by encouraging and facilitating the sharing of cybercrime trends and other relevant information. The Asisa response team is one of three industry response teams in existence in the financial sector.
Van Tonder says intra-sector collaboration in the fight against cybercrime is critical. “Asisa is therefore working closely with the South African Banking Risk Information Centre (SABRIC) to assess the full impact of the TransUnion South Africa data breach on South African consumers.”
SABRIC CEO Nischal Mewalall says SABRIC has already engaged TransUnion South Africa with the aim to coordinate the banking industry’s efforts to secure bank customers’ profiles against abuse. “South African banks take the security of their customer data very seriously and have put in place robust risk mitigation strategies to detect potential fraud on accounts and protect customer personal information as the investigation unfolds,” he says.
Mewalall adds that the compromise of personal information does not guarantee access to a customer’s banking profile or account, but that criminals can use this information to impersonate people or trick them into disclosing their confidential banking details.
SABRIC urges bank customers and other consumers to follow sound identity management practices to mitigate the risk of identity theft and fraudulent applications, and recommends that bank customers follow these precautionary measures:
- Do not disclose personal information such as passwords and PINs when asked to do so by anyone via telephone, fax or even email.
- Change your password regularly and never share it with anyone else.
- Verify all requests for personal information and only provide information when there is a legitimate reason to do so.
- Do not use the information that may have been compromised. Rather use other personal information that you have not used previously to confirm your identity in future.