TransUnion faces R10-million fine for hack
Credit bureau TransUnion could be slapped with a R10-million fine after it suffered a data breach that compromised the personal information of millions of South Africans, the Information Regulator of South Africa has said.
The company confirmed on Thursday that a criminal third party had gained access to one of its servers by using an authorised client’s credentials.
“We have received an extortion demand, and it will not be paid,” TransUnion South Africa confirmed.
N4ugthysecTU, a group claiming to be based in Brazil, took responsibility for the attack and demanded $15-million (R223-million) in Bitcoin to prevent the data from being leaked online.
According to the attackers, they have obtained 4TB of data, including identity information of 54 million South Africans.
TransUnion initially informed customers that the affected data might include telephone numbers, email addresses, identity numbers, and physical addresses.
However, the attackers have demonstrated to MyBroadband that they also have bank account and vehicle ownership information.
They also demonstrated that they obtained a Department of Home Affairs file with 54,140,442 records containing names, ID numbers, and birth dates.
N4ugthysecTU also offered TransUnion’s business customers “insurance” to prevent their data from being exposed, given that the credit bureau has refused to pay.
The list of impacted companies for which the attackers claim to have data is extensive and includes banks such as Absa, FNB, and Standard Bank.
The Information Regulator of South Africa has told MyBroadband that TransUnion informed it of the incident. The regulator explained what the next steps would be.
“The regulator will first have to engage TransUnion to ascertain the root cause of, and the extent of the security compromise as well as the impact thereof,” the regulator said.
If the regulator decides to act, it will consider the appropriate approach, including a pre-investigation or an assessment based on Protection of Personal Information Act regulations.
“Possible repercussions after all of the required processes and steps have been followed by the regulator, is a fine of up to R10 million or imprisonment of up to 10 years, or both a fine and such imprisonment,” the regulator stated.
That would apply if the regulator discovered any illegality or lack of proper safeguards for protecting the information.
TransUnion plays down breach extent
TransUnion disputed N4ugthysecTU’s claims about the extent of the breach in a statement over the weekend.
“We believe that the 54 million records relate to a 2017 data incident unrelated to TransUnion,” the company said.
It also denied that the incident was a ransomware attack.
While it had received an extortion demand, the attackers did not take down TransUnion’s systems.
Instead, the bureau said it had temporarily taken certain elements of its services offline as a precaution.
On Saturday, the South African Banking Risk Information Centre (Sabric) said it was engaging with TransUnion to coordinate the banking industry’s efforts to secure customers’ profiles against abuse.
“South African banks take the security of their customer data very seriously and have put in place robust risk mitigation strategies to detect potential fraud on accounts and protect customers’ personal information, as the investigation unfolds,” Sabric said.
Sabric CEO Nischal Mewalall pointed out that compromising personal information did not guarantee access to banking profiles. Still, criminals could use it to impersonate people or trick them into disclosing their confidential banking information.
“Sabric urges bank customers and other consumers to follow sound identity management practices to mitigate the risk of identity theft and fraudulent applications,” the centre advised.
MyBroadband contacted TransUnion for comment, but the credit rating agency did not respond by the time of publication.