Credit bureau TransUnion has confirmed that hackers targeting its consumer support operations in the US have not infiltrated any sensitive information on credit-active South Africans.
The company experienced a breach towards the end of July but only reported it to the office of the Maine Attorney General in the US a few days ago.
It said in a statement that “the incident involved unauthorised access to limited personal information for a very small percentage of US consumers”. It confirmed that South Africa was not affected.
South Africa is increasingly being targeted by hackers, with the latest attack affecting Netstar, which resulted in the cyber criminals publishing its data online. Because Netstar wasn’t prepared to engage with the criminals, INC Ransom, “data allegedly from Netstar was published on a site with limited access,” a statement from the company said.
Other publicly disclosed breaches include the South African Broadcasting Corporation, eNCA, South African Weather Service, National Treasury and platinum miner Eastern Platinum, according to iTVersity Belgium Campus monitoring.
TransUnion’s filing states that 4.5 million Maine residents were affected by the hack, with TransUnion also saying the attack affected Canadian consumers. The company said in its statement that it became aware of the attack two days after it occurred.
The US is home to 631 million credit cards, with many Americans having more than two, various sources show, while LendingTree states there are 86 million bonds on homes. There are 340 million Americans.
In South Africa, the latest research shows there are 20 million credit-active consumers, says Benay Sager, executive head of DebtBusters. This is out of a population of 63.1 million, according to the latest Statistics South Africa data.
No boundaries
World Wide Worx MD Arthur Goldstuck told ITWeb that the TransUnion incident highlights how data breaches are no longer isolated events. “Vulnerabilities in widely used platforms like SharePoint can cascade across regions and industries,” he says, referring to a recent Microsoft hack.
Towards the end of July, it was revealed that a wave of cyber attacks targeting Microsoft’s SharePoint document management system affected at least 400 organisations worldwide, including South Africa’s National Treasury, putting government-specific and other sensitive data at risk.
Even though this specific TransUnion breach hasn’t affected South Africa, it underlines how interconnected systems expose local businesses to global risks, says Goldstuck. “The real lesson is that companies think of cyber security as a local issue at their peril.”
Goldstuck adds that hackers “move faster than patches… the timeline is critical. Threat actors typically weaponise disclosed flaws within hours, often before enterprises can deploy patches. The real risk lies in persistence if systems were compromised prior to the fix.”
Key data
TransUnion notes the “cyber incident” affected a third-party application serving its US consumer support operations. “Upon discovery, we quickly contained the issue, which did not involve our core credit database or include credit reports.”
The bureau stores sensitive information, such as names and ID numbers, payment histories on loans and other accounts, and adverse information such as defaults, judgements and debt collections. It also records information from mobile phone and internet providers, and court records.
The thieves responsible for the attack, ShinyHunters, confirmed they stole more than 13 million records in total, states business technology company techradar.pro. “The group shared a sample, as well, showing people’s names, billing addresses, phone numbers, e-mail addresses, dates of birth, and unredacted Social Security numbers,” it adds.
In a blog post, Hoplon InfoSec says the data is “enough for people to try to make fake identities, commit tax fraud and take over accounts”.
Sager notes there is always a risk, however small, that credit bureau information can be compromised, and a few “data leaks” have happened in South Africa over the years.
Veteran ICT commentator Adrian Schofield says the core issue is that “willingly or unwillingly, we supply key information about ourselves to massive databases, expecting that its use will be restricted to that entity for only the purpose it was supplied”.
Schofield adds that disclosures around leaked data or ransomware are increasing and, even though companies assure people there was a limited effect and they had acted swiftly, “the fact remains that increasing amounts of personal and business information are accessible by the criminal fraternity”.
TransUnion says it is “working with law enforcement and engaged third-party cyber security experts for an independent forensics review. Additionally, we will notify affected consumers and provide credit monitoring services.”
The company notes in its statement that it has already taken steps to better identify and restrict malicious IP addresses, as well as further restrict the ability to access third-party applications.
Hacks lead to increasing numbers of people being subjected to scams that can deprive them of their “wealth”, says Schofield. He adds that this could be “wealth” in terms of “as little as next month’s food shopping, or as great as 20 years of retirement funding”.
In 2022, ITWeb broke the news about a TransUnion South Africa hack, when N4ughtySecTU demanded $15 million (R223 million) ransom over 4TB of compromised data.
After the hack, the group claimed it had accessed several million personal records of South Africans, including that of president Cyril Ramaphosa.
SA’s data privacy enforcer, the Information Regulator, issued TransUnion with an enforcement notice.
Share