Recently, TransUnion, a U.S. consumer credit reporting agency, issued a statement on the data breach, saying that a hacking team used the credentials of authorized customers to illegally access the company's servers in South Africa and steal a large amount of customer information. TransUnion has organized cybersecurity experts to launch an investigation, rejected the hackers' ransomware requests, and promised to provide affected customers with an annual subscription service for other identity protection products for free.
TransUnion publishes a statement
Public information shows that TransUnion, along with Experian and Equifax, has been called the "Big Three" of U.S. credit institutions. TransUnion's customers include nearly 70,000 businesses that collect and aggregate information from more than 1 billion individual consumers in more than 30 countries, with total assets of $7.1 billion in 2019.
A brazilian hacking group, N4aughtysecTU, reportedly claimed to have breached the less secure TransUnionSFTP servers, successfully stealing 54 million pieces of consumers' personal information, totaling up to 4TB (an electronic storage unit, 1TB = 1000GB), with most of its customers from South Africa. Stolen customer information includes phone numbers, email addresses, ID numbers, home addresses, and consumer credit scores.
On March 11, local time, the hacking group issued a warning to TransUnion, threatening to pay about 223 million South African rand (South African currency) or about $15 million worth of bitcoin in seven days for leaking personal information and attacking customers.
TransUnion's data breach and extortion were quickly confirmed. On March 19, TransUnion issued a statement saying that the hacking team used the credentials of authorized customers to illegally access servers in the South African branch and steal customer information, transUnion suspended access as soon as the attack occurred, contacted regulatory authorities, and set up a team of cybersecurity experts to investigate. Related functions that have been suspended have been restored.
Faced with the hacker team's extortion demands, TransUnion refused to accept it. According to a public statement, TransUnion believes the incident only affected orphaned servers with limited South African business data and that customers outside Africa were not affected. As compensation, TransUnion promised to provide affected customers with an annual subscription service to TrueIdentity, an identity protection product, free of charge, with a dedicated website to inform the progress of the incident during the investigation.
TransUnion's tough stance has also prompted the hacking team to shift its strategy — they plan to offer customers whose personal information has been stolen the opportunity to buy "insurance," and if small businesses are willing to pay $100,000 and large enterprises pay $1 million, the hacking team promises not to divulge the personal information of specific customers.
It is worth noting that the hacking organization N4aughtysecTU has revealed to the media that the security defense line of the TransUnion system is very weak, and the password used is an extremely easy to crack "Password", which provides an opportunity for hackers to brute force cracking. NordVPN listed "Password" as the fifth most common password in 2021 in a report last year that takes less than a second to crack.
Common passwords listed in NordVPN reports
In fact, this is not the first major data breach suffered by the US credit institution "Big Three" in South Africa. In August 2020, fraudsters impersonating customers defrauded The South African branch of Experian, resulting in the disclosure of up to 24 million South African users' personal information, and the suspects were arrested a year later.
"Ensuring that the information we hold is secure is TransUnion's top priority." In a statement, TransUnion South Africa CEO Lee Naik stressed that while they know the current situation is disturbing, TransUnion South Africa remains committed to helping anyone whose personal information may be affected.
Compilation/Synthesis: Nandu trainee reporter Fan Wenyang