Credit bureau TransUnion has revealed more details about the extent of a recent data breach that compromised the personal information of millions of South Africans on one of its databases.
TransUnion confirmed that at least 3 million customers were impacted, including South African consumers and non-South African residents who have transacted in the country.
Another 6 million ID numbers were exposed that had no personal information linked.
“We continue to work diligently to determine whether these ID numbers can be linked to other personal information to identify any additional impacted consumers,” TransUnion stated.
The company’s investigation into the incident had also determined that customer information that may be affected include:
- ID numbers
- Dates of birth
- Contact details
- Marital status and information
- Identities of employers and durations of employment
- Vehicle finance contract numbers and VINs
Furthermore, in “isolated circumstances”, spouse information, passport numbers, and credit or insurance scores may be impacted.
“Each data subject may have a combination of different fields impacted, depending on what data was available,” TransUnion added.
The group claiming responsibility for the data breach, N4ugthySecTU, has alleged it exfiltrated 4TB of data, including a database of 54 million South Africans.
N4ugthySecTU also said it obtained a database for TransUnion’s credit monitoring product, containing 3,083,227 records with full names, ID numbers, cellphone numbers, and email addresses.
It demanded $15-million (R217-million) in cryptocurrency in exchange for not leaking the data online. The deadline for payment was 23:59 on Friday.
N4ugthySecTU accused TransUnion of not acting in the interest of South Africans by refusing to pay the extortion demand.
In its latest update on the breach, TransUnion has defended its refusal to pay.
“TransUnion believes that acceding to the criminal third party’s extortion demand would only provide them and other bad actors with an incentive to continue attacking consumers and extorting businesses,” the company said.
It has maintained this approach is aligned with “best practice advice from government and third-party cybersecurity experts”.
The entities have recommended that TransUnion not pay, particularly given the risk that hackers and criminals may leak the data anyway.
“The protection of affected individuals is a top priority, and we remain committed to assisting anyone whose information may have been illegally accessed from TransUnion South Africa,” the company stated.