TransUnion hack sucks in Experian as civil claims loom

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 25 Mar 2022

As the hackers that broke into TransUnion’s IT systems continue to exert pressure and embarrass the company, they have threatened to re-leak data that was hacked from Experian in 2020.

Meanwhile, a legal expert says under-fire credit bureau TransUnion may find itself receiving civil claims from those affected in the data breach that hit the company last week.

The hacker group is demanding a $15 million (R224 million) ransom from TransUnion.

Last week, ITWeb broke the news that the hacker group, going by the name N4ughtysecTU, which claims to hail from Brazil, breached TransUnion and accessed 54 million personal records of South Africans.

The group claimed the credit bureau was using the word “password” as its password.

The hacker group had given TransUnion until today to pay the ransom, or they would leak sensitive personal information retrieved from the company’s database.

“To all those who have interacted with us: We have been open and fair from day one...We will allow until Friday, 25 March 2022. We urge you all to take this seriously as we do not bluff. If we are treated fairly, we will return this [data]. If we are not, we will be forced to roll out,” the group threatens.

However, TransUnion has stuck to its guns that it will not pay the ransom.

ITWeb understands the Information Regulator, which is the enforcer of SA’s data privacy law − the Protection of Personal Information Act − met with TransUnion on Tuesday, asking for details of the extent of the cyber breach.

The regulator today expressed continued dissatisfaction with the security compromise notification submitted by TransUnion, saying the company did not furnish it with adequate details regarding the hack.

The hacker group has, since last week, been leaking personal information of individuals and companies via the Telegram messaging app.

Some of the samples of the data leaked on the app include those of leading companies, such as mobile operator Cell C, insurer King Price, Bidvest Bank, Momentum, Nedbank, Netstar and DataDot.

Individuals such as politicians as well as political parties have not been spared, as the group continues to exert pressure on TransUnion.

In a new development, the group claims to have accessed data that was hacked from another credit bureau Experian in 2020.

Experian, a consumer, business and credit information services agency, experienced a breach of data which exposed some personal information of as many as 24 million South Africans and 793 749 business entities to a suspected fraudster.

Ever since, Experian has struggled to contain this hack, with clients’ data having been spotted on the Telegram app from time to time.

Now, N4ughtysecTU is demanding a $7.5 million ransom from Experian for the group not to release the data.

It is not clear if the two hacks are related.

“We are demanding USD7.5 million (R110 million) from Experian or we re-leak files tomorrow with TransUnion,” says the group.

Impact mitigation

Meanwhile, Chanique Rautenbach, a senior associate with Barnard Incorporated Attorneys, says TransUnion initially informed its customers that the affected data was limited to telephone numbers, e-mail addresses, identity numbers and physical addresses.

However, there are claims that the hackers have demonstrated they also have bank accounts, vehicle ownership information, as well as a Department of Home Affairs file containing names, ID numbers and birth dates, notes Rautenbach.

“With the scale and impact of the hack, it will be interesting to see if and how South Africa’s Information Regulator will try and mitigate the impact.”

According to Rautenbach, the Information Regulator can issue compliance orders to bring about actions to mitigate future risks, or to mitigate the current impact.

She points out that in this case, the possibility of issuing of fines, as reported in the media, will not mitigate the impact. “But an order could be made, whereby information campaigns on the breach by TransUnion are mandated by the Information Regulator.”

Rautenbach notes these information campaigns must reach and inform data subjects from all walks of life that the TransUnion breach may cause many fraudulent banking scams to emerge and should instruct data subjects to validate telephonic requests by persons posing as their bankers with the branches of their banking institutions.

“We are yet to see civil claims from data subjects for losses caused due to the leak of their personal information. However, if persons are defrauded as a result of the leak, these civil claims should become more prevalent,” she concludes.