• Home
  • /
  • Computing
  • /
  • VIDEO: TransUnion hackers claim to have president’s details

VIDEO: TransUnion hackers claim to have president’s details

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 20 Mar 2022

The hackers that broke into credit bureau TransUnion claim they have the president’s personal information.

ITWeb had an interview with the hacker group, N4ughtysecTU, which is demanding a mammoth ransom of $15 million (R223 million) over 4TB of compromised data they hacked from the credit bureau.

This, as the Information Regulator has instructed TransUnion to report in greater detail regarding its security compromise.

ITWeb broke the news that the hacker group, going by the name N4ughtysecTU, which claims to hail from Brazil, is alleging it breached TransUnion and accessed 54 million personal records of South Africans.

In the interview, the hackers threatened to use the data they stole from TransUnion for espionage and social engineering.

In the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information.

The hackers say they will leak the data if the ransom is not paid. If it’s not paid, they say they will get the recognition.

“TransUnion think that they are clever. We have been in their system since 2012. We have data of your president, all ministers, judges, all prosecutors. We have all the information from their systems. Everybody.”

They say what TransUnion did in using the word “password” as its password is “unforgivable”.

When asked what will happen if TransUnion does not pay the ransom, N4ughtysecTU said: “If they are willing to roll the dice, then they will feel our wrath. We are going to expose all the data. Unfortunately, only TransUnion can save the situation. TransUnion are to blame for this; they left their systems open.”

The Information Regulator is, among other duties, empowered to monitor and enforce compliance by public and private bodies within the provisions of South Africa’s data privacy law, POPIA.

Organisations that do not meet the conditions prescribed by the legislation must be held liable. Previously, the Information Regulator did not have teeth to deal with violators of the data privacy law, which was passed in July 2020.

The Act sets down firm frameworks that companies have to abide by to avoid fines, criminal persecution and potential reputation loss.

Breaching the rules and regulations outlined by this Act can have serious implications for the business, which can cost more than money and have long-lasting consequences.

The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.

The Information Regulator met with representatives from the TransUnion credit bureau on Saturday, 19 March, to discuss recent reports of hacking of TransUnion's IT systems.

The regulator says in a statement: “The regulator called for a meeting with TransUnion following their correspondence to the regulator on the incident that may have compromised the security of personal information of an undisclosed number of data subjects (the people about whom the information relates)."

The regulator says the Protection of Personal Information Act No 4 of 2013 (POPIA), of which the regulator is the enforcement authority, requires all private or public bodies (referred to as "the responsible party") that has experienced a security compromise to inform the regulator and the affected parties following such an incident.

At the meeting between the CEO of TransUnion South Africa and the regulator, the regulator spelt out its expectations regarding the notification of affected data subjects, says the authority.

During the meeting, it adds, the regulator emphasised the need for affected data subjects to be informed early about any security compromise of their personal information to be able to take the necessary preventative action against wrongful use of their personal information.

The regulator takes into account the implications for many data subjects that could arise as a result of this incident should notification of the data subjects not be treated as a matter of urgency. To this extent, it was agreed that TransUnion will, by Tuesday, 22 March, submit to the regulator specific details regarding the number of affected parties and its plan to notify data subjects in terms of Section 22 of POPIA.

Furthermore, the regulator has instructed TransUnion to report to it on the date that the security compromise occurred, the cause of the security compromise, details of investigations into the security compromise, the extent and materiality of the security compromise, interim measures put in place to prevent a recurrence of the security compromise, and security measures it has put in place to prevent recurrence of the security compromise.

The information sought by the regulator from TransUnion is intended to enable it to assess and institute further investigations.