A hacking group claiming responsibility for the attack on TransUnion last week has threatened to leak the personal data of President Cyril Ramaphosa, Julius Malema, and other political figures.
The group, N4ughtySecTU, has claimed to be based in Brazil and that they have four terabytes of data exfiltrated from a poorly-secured TransUnion server.
They have threatened to leak the data unless TransUnion pays $15 million (R225 million) in bitcoin by Friday, 25 March.
N4ughtySecTU has also threatened to separately leak the personal data of judges, prosecutors, police, lawyers, and advocates.
“There lives will now be in danger [sic],” the group told MyBroadband via text chat.
“We will also link there family member’s. The President and his family information [sic],” they said.
The group said that if TransUnion continues to refuse to pay, its corporate clients may negotiate to prevent their clients’ details from being posted online. These clients include South Africa’s major banks.
N4ughtySecTU posted the ID numbers of Julius Malema, and Cyril Ramaphosa and his wife to a public group chat on Telegram.
In a private chat with MyBroadband, the group also posted TransUnion Africa CEO Lee Naik’s personal details, and those of Information Regulator chair Pansy Tlakula.
The data included what appears to be bank account numbers and vehicle registration information.
However, Tlaklula told MyBroadband that she doesn’t recognise the bank accounts or vehicle licence plate numbers N4ughtySecTU provided as “samples”.
The Information Regulator said it is investigating the attack on TransUnion.
If it discovered any illegality or lack of proper safeguards for protecting the stolen data, the regulator said there could be severe consequences.
“Possible repercussions after all of the required processes and steps have been followed by the regulator, is a fine of up to R10 million or imprisonment of up to 10 years, or both a fine and such imprisonment,” the regulator stated.
TransUnion has maintained that the attack was on an isolated server holding limited data from its South African business.
“At present, we understand the affected data may include personal information, such as telephone numbers, email addresses, identity numbers, physical addresses, and some credit scores,” TransUnion stated.
N4ughtySecTU claims to have obtained a Department of Home Affairs database from the TransUnion server containing the identity records of 54 million South Africans.
They showed MyBroadband a sample to substantiate their claim.
TransUnion has said that the file did not come from its compromised server.
“We believe that the 54 million records relate to a 2017 data incident unrelated to TransUnion,” it stated.
TransUnion said that the attackers gained access to a South African server by misusing an authorised client’s credentials.
N4ughtySec said they performed a simple brute force attack against the TransUnion South Africa file server.
They were able to guess the username and password of a TransUnion client. According to N4ughtySec, the password was “password”.
TransUnion said it is investigating the identity of the suspect.
“As is common with criminal attacks of this nature, it is not always possible to identify who is responsible for this malicious conduct,” TransUnion stated.
“Should we identify the suspect we will work with law enforcement agencies and disclose the identity of the suspect only if law enforcement agencies think that it is appropriate to do so.”