TransUnion cyber attack – hackers demand R225 million ransom

Credit reporting agency TransUnion South Africa is currently in an ongoing battle with a hacker group demanding a $15 million (R225 million) ransom over four terabytes of compromised data.

The hacker group, going by the name N4aughtysecTU, which claims to be based in Brazil, is alleging it breached TransUnion South Africa and accessed 54 million personal records of South Africans.

The hacker group reportedly claims the information it is in possession of includes anything from credit scores, banking details and ID numbers.

TransUnion South Africa has issued a statement confirming that a criminal third-party obtained access to an isolated South African server, through misuse of an authorised client’s credentials.

TransUnion statement

A criminal third party obtained access to a TransUnion South Africa server through misuse of an authorised client’s credentials. We have received an extortion demand and it will not be paid.

Immediately upon discovery of the incident, TransUnion South Africa suspended the client’s access, engaged cybersecurity and forensic experts, and launched an investigation. As a precautionary measure, TransUnion South Africa took certain elements of our services offline. These services have resumed. We believe the incident impacted an isolated server holding limited data from our South African business. We are working with law enforcement and regulators.

We are engaging clients in South Africa about this incident. As our investigation progresses, we will notify and assist individuals whose personal data may have been affected. We will be making identity protection products available to impacted consumers free of charge.

“The security and protection of the information we hold is TransUnion’s top priority,” said Lee Naik, CEO TransUnion South Africa. “We understand that situations like this can be unsettling and TransUnion South Africa remains committed to assisting anyone whose information may have been affected.”

MyBroadband spoke to a group calling itself N4ughtysecTU, which has claimed responsibility for the attack. It alleged it gained access to the personal records of 54 million South African customers totalling more than 4TB of data.

“We got in via user and then to all files on there server’s [sic],” the group told MyBroadband. According to N4ughtysecTU, the user’s password was “password”.

“We want it to be known that we will be reaching out to them and allow them to verify the data we have,” the group stated.

“If TransUnion does not pay the ransom amount by the deadline, those companies who paid the insurance fee will be safe when we leak the data.”

Common practice

“This alarming news is further indication that every company that holds personal information is a potential target. The consumer desperately needs an extra layer of protection on their identity against criminals who will turn their lives upside down without a second thought,” said Manie van Schalkwyk, CEO of the Southern African Fraud Prevention Service (SAFPS).

The SAFPS said that no organisation is immune against cyber-attacks and the Department of Justice recently announced that it was a victim of a cybercrime.

In a separate incident, Debt-IN Consultants, a professional debt recovery solutions partner to many South African financial services institutions, announced on 22 September that a ransomware attack by cybercriminals resulted in a significant data breach of consumer and employee personal information.

It is suspected that consumer and personal information of more than 1.4 million South Africans was compromised through the Debt-IN attack in April last year. The breach only came to light last week.

“Data breaches have been on the rise globally and South Africa has seen unprecedented increases in the number of cyber victims,” said Dalene Deale, executive head of Secure Citizen, created through a collaboration with SAFPS and OneVault in response to rapid growth in identity theft following online fraud.

“Fraudsters do not discriminate. As we continually move towards the adoption of a digital and more importantly ‘touchless’ era, the platform for fraud increases. Fraud is a fraudster’s business and they often use the same business tactics we use in legitimate business, the difference being that they don’t have customers, they have victims,” said Deale.

“Thanks to an increase in data breaches, fraudsters are motivated and armed with the correct information, meaning that are very capable of impersonating an individual. The impacts of this are catastrophic.”

Van Schalkwyk pointed out that the TransUnion breach is concerning as the records of 54 million South Africans may have been compromised.

“In a country where identity fraud is common practice, this is extremely concerning. It is critical that consumers act now before significant fraud is unknowingly committed on their behalf.

“The last significant data compromise in 2020 where more than 20 million records were compromised with another credit bureau, the SAFPS saw a rise of impersonation of more than 300%,” said Van Schalkwyk.

Read: Hawks arrest suspect linked to massive data breach at South African credit reporting company