TransUnion ordered to inform those whose information was compromised in hack

The Information Regulator has ordered credit bureau TransUnion to publicise details of information hackers have stolen in newspaper and television adverts and on all radio channels using all of SA’s official languages.

It said it was dissatisfied with the bureau’s response to the hack.

The hackers, who call themselves N4ughtySecTU, said they would leak consumers’ sensitive credit information and data if they were not paid a $15m (R218m) ransom.

It is common practice for so-called white or grey hackers to find security vulnerabilities in a company’s IT system and reveal themselves, claiming a bounty fee.

TransUnion has refused to pay what it calls “extortion”. 

The breach was first revealed by online publication ITWeb on March 17, forcing TransUnion to admit that hackers had acquired access to an SA server.

The hackers say they have 28-million credit records and 54-million identity numbers. TransUnion believes the 54-million number relates to a 2017 hacking of an SA government website.

TransUnion said in a statement on Friday that at least 3-million consumers were affected by the hack. It has started messaging and emailing those affected.  

After the regulator criticised the lack of information, TransUnion revealed that the stolen data could include a person’s name, ID number, gender, contact details, marital status, the identity of their employer and duration of employment, vehicle finance contract numbers and vehicle identity numbers. In isolated circumstances, a spouse’s information, passport numbers, and credit and/or insurance scores may have been stolen.

A further 6-million ID numbers could have been stolen, but it is not clear if they are linked to any other information.

The extent of the breach means banks and insurers are also at risk as criminals can use the leaked data to scam banks over the phone and pass security checks that aim to verify the customer’s identity. 

This means SA banks and insurers may have to modify the internal verification systems they use to detect fraud.

The Information Regulator was established in 2021 when the Protection of Personal Information Act (Popia) came into effect.

This is likely the first time the regulator has ordered a company to publicise a data breach, exercising its new powers in an attempt to keep consumers safe. It also has the power to fine TransUnion as much as R10m.

The regulator said on Friday TransUnion had not provided it with sufficient information about the hack and how the stolen data would be contained.

Personal information can also be used by scammers to call and trick consumers into handing over their banking PINs and other sensitive information if they believe the caller is from the bank. It can also be used in identity theft — allowing criminals to open credit accounts in consumers’ names.

TransUnion collects credit information to provide to lenders such as insurers, banks and vehicle finance houses.

The regulator said on Friday the credit bureau did not explain how it would mitigate risks arising from the leak.

The incident reveals the limits of the Popia legislation despite it requiring that companies must take action to remedy data leaks. While the regulator wants to know how TransUnion will stop all data being used in “malicious actions”, it is not clear what a company can do once the data is stolen and released onto the dark web, which can only be accessed through the use of special software that allows users to remain untraceable. 

The regulator expressed “grave concern” about the credit bureau’s approach to ensuring that there are no further attacks.

By combining data sets of previously stolen ID numbers, home addresses and phone numbers with the new credit information, the hackers have the ability to create detailed records.

N4ughtySecTU claims to have found data on the dark web that was released in the 2020 hack of credit bureau Experian. They also claim to have approached Experian for a ransom. 

TransUnion believes the hackers are combining various stolen data sets. 

The regulator says it will conduct an assessment of TransUnion’s security systems. It ordered TransUnion to provide it with confirmation that a criminal case has been opened with the police.

TransUnion has published a statement on its website warning consumers not to “disclose personal information such as passwords and PINs via the phone, fax, text messages or even email”. It also urged consumers to verify all requests for personal information and only provide it when there is a legitimate reason to do so. 

childk@businesslive.co.za