Massive data hack: TransUnion says at least 3 million South Africans impacted – this is the information that was stolen

Credit reporting agency TransUnion South Africa says that at least three million South Africans have been impacted by a data hack earlier this month.

TransUnion was compromised by the hacker group ‘N4aughtysecTU’ which demanded a $15 million (R225 million) ransom over four terabytes of compromised data. The hacker group claims the information in its possession contains everything from credit scores to banking details and ID numbers.

TransUnion South Africa initially issued a statement confirming that a criminal third-party obtained access to an isolated South African server, through misuse of an authorised client’s credentials – however, this was deemed an ‘inadequate response’ by the country’s information regulator.

In a follow-up statement published on Saturday (26 March) TransUnion went into more detail about the attack.

The group confirmed that its systems were breached, but stressed that the hackers targeted an “isolated server”, holding limited data on South African clients. It said that hackers have aggregated data, including the details of 54 million South Africans from a previous leak in 2017, unrelated to the latest incident.

“We are aware that a criminal third party has aggregated and is releasing data allegedly obtained from TransUnion South Africa and other sources, including at least 54 million records unrelated to TransUnion from prior data breaches dating back to 2017,” it said.

“With the help of outside experts, we are screening and reviewing this data as quickly as we are able to safely access it.”

The group said it will not pay the ransom demand.

Who was affected?

TransUnion said that its latest investigations showed that detailed information from three million South Africans was captured in the hack.

Six million more ID numbers were also identified where there is no personal information linked to the ID numbers that would enable the group to identify the impacted consumers or to communicate with them directly at this stage.

“At this time TransUnion South Africa can confirm at least three million impacted consumers. We continue to work diligently to determine whether (the six million additional) ID numbers can be linked to other personal information to identify any additional impacted consumers,” it said.

What was stolen?

The stolen data includes:

• Name;
• ID number;
• Date of birth;
• Gender;
• Contact details;
• Marital status and information;
• Identity of employer and duration of employment;
• Vehicle finance contract number;
• VIN numbers.

In isolated circumstances, spouse information, passport numbers, credit or insurance scores may be impacted, TransUnion said.

“Each data subject may have a combination of different fields impacted, depending on what data was available.”

What to do next

TransUnion said that while it is conducting its investigations with authorities and external experts, South Africans should remain vigilant and be on alert for any fraudulent activity.

It said it would be getting into contact with consumers and business customers it believes have been affected.

As this is happening, the group said it will be providing information on how affected individuals can protect themselves, including a free annual subscription to TransUnion’s tools to detect identity-related threats, as well as free access to their credit report and alerts up to 31 December 2023.

“If anyone is uncertain of communication that appears to come from TransUnion, we recommend visiting our website instead. Please be vigilant of phishing attacks and remember that a TransUnion representative will never ask for your banking details, bank PIN or user login password,” it said.

Additional information can be found on the group’s FAQ page.

1. What happened?

• We are aware that a criminal third party has aggregated and is releasing data allegedly obtained from TransUnion South Africa and other sources, including at least 54 million records unrelated to TransUnion from prior data breaches dating back to 2017.
• With the help of outside experts, we are screening and reviewing this data as quickly as we are able to safely access it.
• The criminal third party obtained access to the TransUnion South Africa server through misuse of an authorised client’s credentials.
• Immediately upon discovery of the incident, TransUnion South Africa suspended the client’s access, engaged cybersecurity and forensic experts, and launched an investigation.

2. Was this a ransomware attack? 

• This was not a ransomware attack.
• A criminal third party obtained access to a TransUnion South Africa server through misuse of an authorised client’s credentials.
• As a precautionary measure, TransUnion South Africa took certain elements of our services offline. These services have resumed.

3. Has the threat actor extorted / demanded a ransom from TransUnion South Africa?

• We have received an extortion demand and it will not be paid.

4. Why didn’t you comply with the threat actor’s demand in order to protect your clients’ / consumers’ information? What is your corporate policy on paying ransom / extortion?

• The security and protection of the information we hold is TransUnion’s top priority and we condemn this type of criminal behavior.
• TransUnion believes that acceding to the criminal third party’s extortion demand would only provide them and other bad actors with an incentive to continue attacking consumers and extorting businesses.
• TransUnion’s approach is aligned with best practice advice from government and third-party cybersecurity experts, who recommend not paying, particularly given the risk criminals may leak data anyway.
• Our business ethics program permeates all of our lines of business, corporate functions and operational groups. Our culture emphasizes legal and regulatory compliance, issue identification and escalation, and remediation.
• The protection of affected individuals is a top priority, and we remain committed to assisting anyone whose information may have been illegally accessed from TransUnion South Africa.

5. How much and what type of data has been accessed / published by the threat actor?

• We are aware that a criminal third party has aggregated and is releasing data allegedly obtained from TransUnion South Africa and other sources, including at least 54 million records unrelated to TransUnion from prior data breaches dating back to 2017.
• With the help of outside experts, we are screening and reviewing this data as quickly as we are able to safely access it.
•  Based on our investigation to date, fields of information that may be affected include name, ID number, date of birth, gender, contact details, marital status and information, identity of employer and duration of employment, vehicle finance contract number, and VIN numbers. In isolated circumstances, spouse information, passport numbers, credit or insurance scores may be impacted. Each data subject may have a combination of different fields impacted, depending on what data was available.

6. Did 54 million records of South Africans get taken, as media are reporting?

• Based on our investigation to date, we believe that the incident impacted an isolated server holding limited data from our South African business.
• We believe that the 54 million records relate to a 2017 data incident unrelated to TransUnion.

7. How many consumers have been affected?

• We are aware that a criminal third party has aggregated and is releasing data allegedly obtained from TransUnion South Africa and other sources, including at least 54 million records unrelated to TransUnion from prior data breaches dating back to 2017.
• With the help of outside experts, we are screening and reviewing this data as quickly as we are able to safely access it.
• At this time TransUnion South Africa can confirm at least 3 million impacted consumers.
• We have identified an additional 6 million ID numbers where there is no personal information linked to the ID numbers that would enable us to identify the impacted consumers or to communicate with them directly at this stage. We continue to work diligently to determine whether these ID numbers can be linked to other personal information to identify any additional impacted consumers.
• While we continue to investigate who has been impacted, we have provided a notification and answers to frequently asked questions (FAQs) on our website to assist consumers. Both of these resources are available at https://www.transunion.co.za/customer-support/faq.
• Where contact information is available, TransUnion is directly contacting by email or text the individuals we know to be impacted. If anyone is uncertain of a communication that appears to come from TransUnion, we recommend visiting our website instead by typing in the following web address: https://www.transunion.co.za/customer-support/faq.

8. Has TransUnion South Africa notified clients?

• We are engaging clients in South Africa about this incident.

9. Has TransUnion South Africa notified affected consumers? What is TransUnion South Africa doing to protect consumers? How can consumers protect themselves?

• The protection of affected individuals is a top priority, and we remain committed to assisting anyone whose information may have been illegally accessed from TransUnion South Africa.
• Our team continues to work closely with external experts to gain a comprehensive understanding of what data was affected.
• While we continue to investigate who has been impacted, we have provided a notification and answers to frequently asked questions (FAQs) on our website to assist consumers. Both of these resources are available at https://www.transunion.co.za/customer-support/faq.
• Where contact information is available, TransUnion is directly contacting by email or text the individuals we know to be impacted. If anyone is uncertain of a communication that appears to come from TransUnion, we recommend visiting our website instead by typing in the following web address: https://www.transunion.co.za/customer-support/faq.
• TransUnion South Africa is providing information on how affected individuals can protect themselves, including a free annual subscription to TransUnion’s tools to detect identity-related threats, as well as free access to their credit report and alerts up to 31 December 2023.

10. Which systems have been affected by this incident?

• Based on our investigation to date, we believe the incident impacted an isolated server holding limited data from our South African business.
• At this stage we do not have any evidence to suggest that any other systems were accessed.

11. Which regions or countries are affected by this incident?

• Based on our investigation to date, we believe the incident impacted an isolated server holding limited data from our South African business.
• At present, we have no evidence to suggest this incident extends further than Africa.
• We understand, at present, that affected data relates to South African consumers and a very limited number of non-South African citizens who have transacted in South Africa

12. What are you doing to ensure this doesn’t happen again?

• Our security and the protection of the information we hold are top priorities for TransUnion.
• At TransUnion, we take our responsibility to safeguard the information we hold very seriously. We continuously look for ways to further strengthen our defences against unauthorised access of any kind to TransUnion systems or data.
• These have included a number of additional security measures implemented across our IT infrastructure.
• We have engaged a third-party expert to assess our security protocols.

13. When will the investigation be completed?

• Our team is working closely with external experts to conduct a thorough investigation, which takes time.
• We regret we cannot provide further information now, but we want to ensure we provide accurate information.

14. Have you notified the authorities and regulators of the incident?

• We are working closely with regulators and law enforcement.

Read: Regulator slams ‘inadequate’ response to massive personal data hack in South Africa