• Home
  • /
  • Malware
  • /
  • Playing truth or dare with TransUnion hackers

Playing truth or dare with TransUnion hackers

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 18 Mar 2022
ITWeb news editor Admire Moyo.
ITWeb news editor Admire Moyo.

While I have written countless stories about cyber security, it has never dawned on me that I could also become a victim.

Sign up

Registration is now open for ITWeb Security Summit 2022, which will feature experts and thought leaders from across the globe, who will share their knowledge and insights. For more information, and to register, click here.

The stark reality sank in this week that my personal information is not safe at all, after a hacker contacted me claiming he had hacked the South African arm of US-based credit bureau TransUnion.

ITWeb on Thursday evening broke the news that TransUnion had fallen victim to a nasty hack, with the attackers going by the name N4aughtysecTU demanding a mammoth ransom of $15 million (R223 million) over 4TB of compromised data they hacked from the credit bureau.

I have the Telegram messaging app on my phone and I hardly use it but yesterday I was taken aback to see a message on the platform from someone claiming to be a hacker from Brazil who had compromised personal records of up to 54 million South Africans and non-South Africans.

Initially, I was sceptical of such a claim. After all, I have known TransUnion to be a robust organisation, which I believed had watertight cyber security systems in place.

“Why, of all the journalists, had this group targeted me with such a story?” I asked myself. “Are they just trying to use the story as bait in order to hack me?”

I then probed the group further to find out how they had managed to infiltrate such an organisation like TransUnion and even to get my phone number, and the response was shocking. “They left the door open. What a joke. They were using the word ‘password’ as their password.”

That made me doubt the story even more, as I know “password” is one of the most common passwords. It just didn’t make sense that an organisation like TransUnion would be using that to protect the millions of personal records that individuals and businesses entrust them with.

According to NordPass, a proprietary password manager, the word “password” is the fifth most commonly used password, with more than 20 million users. It is only beaten by other common passwords such as “123456”, “123456789”, “12345” and “qwerty”.

Closer to home

Sensing my hesitancy, the hackers had to make it personal, telling me they had also found my personal information on the TransUnion database, which they were willing to send if I still did not believe the magnitude of the hack.

They even said that after reading some of the stories I had written, they retrieved my phone number from the TransUnion hack to be able to contact me.

After debating with myself for a while, I dared them to send it, only for my worst fears to become a reality. I was also a victim.

I was frightened when the information started filtering through. They had information about the first apartment that I rented, my cellphone number, work number, e-mail address, ID number, as well the cars I have driven (models, makes, colours, VIN numbers, engine numbers, where I bought them), etc.

Upon realising more information was still coming through and I had been exposed, I told them to stop, as it was too close to home.

I am one of the 54 million victims whose personal information is in the hands of an unauthorised third-party, while all along I had a false sense of security.

When they were done with me, they went to corporate organisations they want to target. The list is endless, including blue chip companies (financial services firms) and their registration numbers.

ITWeb will not be disclosing the list.

Apparently, the group is looking to coerce these clients into paying cyber insurance to them, or else their data will be at their mercy.

This is the reality we face when we innocently, with trust, provide our personal details to organisations in the hope that it will be secure.

TransUnion yesterday confirmed that a criminal third-party had obtained access to its South African server through misuse of an authorised client’s credentials.

“We have received an extortion demand and it will not be paid,” the credit bureau says in a statement to ITWeb.

The worrying part is TransUnion seems to be downplaying the impact of this, saying the “incident impacted an isolated server holding limited data from our South African business”.

If my personal information was retrieved from this database, what are the odds that almost every South African with a credit history has been impacted as the hackers say?

While TransUnion is doing the wise thing by not giving in to the extortion demands, the cyber criminals have threatened that if the ransom is not paid in Bitcoin in seven days, they will expose all of the data and start targeting the corporate clients. Who knows if they have not already shared it on the dark web?

POPIA ramifications

Experian, a credit bureau which was hacked back in 2020, is still struggling to contain that data breach till this day.

This is a breach that exposed the personal information of as many as 24 million South Africans and 793 749 business entities to a suspected fraudster.

We are still to hear of any consequences Experian faced, although South Africa’s Protection of Information Act (POPIA) was in place.

Out of curiosity, I asked the hackers about their motive and what they stand for besides looking to extort money from TransUnion, and this is what they said: “We are an ethical hacking group. We will delete all data and not leak anything if they co-operate. We don’t want to be known for causing damage.

“We only expose seriously weak systems such as in this case the password being ‘password’. We want them to make sure they secure their systems and pay us for bringing this to their attention.”

The Information Regulator is, among other duties, empowered to monitor and enforce compliance by public and private bodies with the provisions of South Africa’s data privacy law, POPIA.

Organisations that do not meet the conditions prescribed by the legislation must be held liable. Previously, the Information Regulator did not have teeth to deal with violators of the data privacy law, which was passed in July 2020.

The Act sets down firm frameworks that companies have to abide by to avoid fines, criminal persecution and potential reputation loss.

Breaching the rules and regulations outlined by this Act can have serious implications for the business, which can cost more than money and have long-lasting consequences.

The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.