Business Maverick

CYBERSECURITY

TransUnion data breach potentially leaves 54 million South Africans exposed 

TransUnion data breach potentially leaves 54 million South Africans exposed 
(Photo: Chris Ratcliffe / Bloomberg)

International credit bureau TransUnion confirmed this morning that it has been the victim of a hack by a 'criminal third party' and will not be paying the extortion demand that was received. 

Criminal hacking group N4aughtysecTU, allegedly based in Brazil, has claimed responsibility, alleging that it has accessed the personal information of 54 million consumers, amounting to roughly 4 terabytes of data. TransUnion says the hacking group obtained access via misuse of an authorised client’s credentials and the relevant account has been suspended. United Nations data currently peg the South African population at 60.6 million people. 

An off-the-record source told Daily Maverick that TransUnion believes the 54 million records relate to a 2017 data incident unrelated to TransUnion.

The global consumer credit bureau says it will be offering “impacted consumers” an annual subscription to its identity protection product, TrueIdentity, free of charge, at a cost to it of R499 per person. If all 54 million hacked accounts receive this protection, the cost will be a staggering R27-billion for the company. Weirdly, the alleged extortion demand has been reported in various media at between R223-million and R225-million. 

The breach affects all South Africans who have taken on credit agreements, regardless of the size of the loan. When you enter into agreements with your banks or other financial institutions, credit card companies, auto lenders, utilities or other creditors, you automatically consent to sharing credit and payment history with the credit bureaus. These agreements outline the fact that your account information and payment history will be reported to the credit reporting agencies.

A statement on the TransUnion website says: 

  • The incident impacted an isolated server holding limited data from our South African business.
  • Our team is working closely with external experts to gain an understanding of what data was affected.
  • The affected data may include consumer information, such as telephone numbers, email addresses, identity numbers, physical addresses and a few credit scores. 

Once the hacking attempt was identified late this week, TransUnion took “certain elements” of its services offline. However, these services have since resumed. A source noted that since the data was not being held back by the hackers for a ransom, the attempt is being treated as extortion rather than a ransomware demand. 

“The security and protection of the information we hold is TransUnion’s top priority,” said Lee Naik, CEO of TransUnion South Africa. “We understand that situations like this can be unsettling and TransUnion South Africa remains committed to assisting anyone whose information may have been affected.”

Johann van Tonder, senior policy adviser at the Association for Savings and Investment South Africa (Asisa), says since a number of Asisa members make use of the TransUnion credit verification services, there is a high possibility that the compromised information includes personal details of South African life assurance policyholders and investors.

“While it appears that the client information obtained by the hackers is limited to names, contact details and ID numbers, we are concerned that this could be used by criminals to trick consumers into sharing account passwords,” he says.

Van Tonder says the financial sector is very aware of the risks of the constant cybersecurity threats facing the industry. Asisa has already established a Cyber Security Incident Response Team with the aim of helping member companies combat threats to cybersecurity by encouraging and facilitating the sharing of cybercrime trends and other relevant information. The Asisa response team is one of three industry response teams in existence in the financial sector.

Van Tonder says intrasector collaboration in the fight against cybercrime is critical. “Asisa is therefore working closely with the South African Banking Risk Information Centre (Sabric) to assess the full impact of the TransUnion South Africa data breach on South African consumers.”

Chief executive of Sabric Nischal Mewalall says Sabric has already engaged TransUnion South Africa with the aim to coordinate the banking industry’s efforts to secure bank customers’ profiles against abuse. “South African banks take the security of their customer data very seriously and have put in place robust risk mitigation strategies to detect potential fraud on accounts and protect customer personal information, as the investigation unfolds,” he says.  

Mewalall adds that the compromise of personal information does not guarantee access to a customer’s banking profile or account, but that criminals can use this information to impersonate people or trick them into disclosing their confidential banking details. 

Sabric urges bank customers and other consumers to follow sound identity management practices to mitigate the risk of identity theft and fraudulent applications, and recommends that bank customers follow these precautionary measures:

  • Do not disclose personal information such as passwords and PINs when asked to do so by anyone via telephone, fax or even email.
  • Change your password regularly and never share it with anyone else.
  • Verify all requests for personal information and only provide information when there is a legitimate reason to do so.
  • Do not use the information that may have been compromised. Rather use other personal information that you have not used previously to confirm your identity in future. BM/DM
Gallery

Comments - Please in order to comment.

  • Ian Ashmole says:

    The data of Transunion and the other credit bureaux is so compromised, that this is probably not a big issue. The bureaux do not check or verify any data submitted to them – my bank in its wisdom has decided to use the bureaux information as a verification mechanism in telephonic communication. “Can you confirm that your address is…..”? Um no, never lived there! Can you confirm that your employer is ….? Um, no, never worked there! and so on. I have checked my data on several bureaux, and all have data that has never pertained to me. It seems that scammers try to apply for accounts with various retailers, and even though the applications are ultimately unsuccessful, the fingerprints remain in the bureaux data. I have tried in vain to have the incorrect data removed – mainly because my bank does not believe I am who I say I am…. No success yet!

Please peer review 3 community comments before your comment can be posted

X

This article is free to read.

Sign up for free or sign in to continue reading.

Unlike our competitors, we don’t force you to pay to read the news but we do need your email address to make your experience better.


Nearly there! Create a password to finish signing up with us:

Please enter your password or get a sign in link if you’ve forgotten

Open Sesame! Thanks for signing up.

We would like our readers to start paying for Daily Maverick...

…but we are not going to force you to. Over 10 million users come to us each month for the news. We have not put it behind a paywall because the truth should not be a luxury.

Instead we ask our readers who can afford to contribute, even a small amount each month, to do so.

If you appreciate it and want to see us keep going then please consider contributing whatever you can.

Support Daily Maverick→
Payment options

Every seed of hope will one day sprout.

South African citizens throughout the country are standing up for our human rights. Stay informed, connected and inspired by our weekly FREE Maverick Citizen newsletter.