The South African division of US-based consumer credit bureau TransUnion has suffered a ransomware attack.
In an email to clients, which MyBroadband has seen, TransUnion said it believes the incident impacted an isolated server holding limited data from its South African business.
“At present, we understand the affected data may include consumer contact information, such as telephone numbers, email addresses, identity numbers, and physical addresses.”
In a statement on Thursday, the company acknowledged that a third party had gained access to one of its servers through misuse of an authorised client’s credentials.
“We have received an extortion demand, and it will not be paid,” TransUnion South Africa stated.
The company said it immediately suspended the client’s access upon discovering the breach, engaged cybersecurity and forensic experts, and launched an investigation.
“As a precautionary measure, TransUnion South Africa took certain elements of our services offline. These services have resumed,” TransUnion stated.
“We believe the incident impacted an isolated server holding limited data from our South African business. We are working with law enforcement and regulators.”
TransUnion added it was engaging clients in South Africa about the incident.
“As our investigation progresses, we will notify and assist individuals whose personal data may have been affected.”
In addition, it will be making identity protection products available to impacted consumers free of charge.
Attackers offer “insurance”
MyBroadband spoke to a group calling itself N4ughtysecTU, which has claimed responsibility for the attack.
It alleged it gained access to the personal records of 54 million South African customers totalling more than 4TB of data.
“We got in via user and then to all files on there server’s [sic],” the group told MyBroadband.
According to N4ughtysecTU, the user’s password was “password”.
The group had demanded a $15-million (R224.4 million) ransom to return the data.
While TransUnion has refused to pay, the group has invited the supposed affected business customers an option to pay an “insurance fee” to prevent their information from being leaked.
“We want it to be known that we will be reaching out to them and allow them to verify the data we have,” the group stated.
“If TransUnion does not pay the ransom amount by the deadline, those companies who paid the insurance fee will be safe when we leak the data.”
Below is a list of the companies whose data it has claimed to have gained access to. The group also added this list only contained the first group of companies it was targeting.