How criminals can use stolen data from the TransUnion hack
Criminals can use stolen data for organised crime such as burglaries, car hijackings, fraud, and identity theft.
That is the warning from cybersecurity experts who recently spoke to Sunday newspaper Rapport about the potential consequences of the TransUnion data breach.
TransUnion recently confirmed that the hack impacted at least 3 million customers on one of its databases.
The wealth of data the attackers stole include names, ID numbers, dates of birth, gender, contact details, marital status and information, employer details, and vehicle information of South African consumers and people who have transacted in the country.
CEO of cyber and IT security company Neworder Group, Marthinus Engelbrecht, said this type of data exposure could portend physical crimes, with affluent individuals being the biggest targets.
“Car hijackings, break-ins, and kidnappings could increase because criminals know where you live and where your kids go to school,” Engelbrecht explained.
Stellenbosch University’s head of information science, Bruce Watson, echoed these comments, stating that such a data breach likely involved professional hackers “higher up the food chain” and posed a severe threat.
Watson explained that criminals could use home addresses and contact numbers to track targets’ movements.
The group claiming responsibility for the hack, N4ughtySecTU, has leaked the ID numbers of high-profile individuals like President Cyril Ramaphosa and his wife, and EFF leader Julius Malema, on a public Telegram group.
It has threatened to publish more information, including their banking account details.
Managing director of digital forensics lab Cyanre, professor Danny Myburgh, has also warned that criminals with the data could use it to steal money from victims without physical intervention.
Firstly, they could phone victims and pretend to be their bank to get login details and transact with victims’ money.
With all the personal data at their fingertips, it would be easier to convince victims that they are legitimate.
They can then persuade victims to enter their login details and PIN on a fake website.
Secondly, criminals could use the data to impersonate victims, effectively stealing their identities. They could take out credit in victims’ names or buy items and services on contract.
Furthermore, Myburgh said attackers could use the information in a so-called “Big Game Hunting” attack, where they break into a large enterprise and exfiltrate more data or infect its systems with ransomware.
In addition, if the attackers can deduce victims’ passwords using personal information, they could access email or other online accounts and extort victims if they find compromising data, like nude images.
They could also change the banking details of an ongoing transaction — also known as a Business Email Compromise (BEC) or Man-in-the-middle attack.
Protecting yourself
Myburgh advised those who suspect they be impacted by a data breach to take the following steps to protect themselves:
- Find out what was compromised by contacting the company that was breached.
- Check for updates from the company which was breached.
- Find out what support the responsible party (the hacked organisation) will provide.
- Do not use the information that may have been compromised to confirm your identity in future. Instead, use other personal information that you have not used previously.
- Change your password for the compromised site and regularly change all your passwords. Don’t share them with anybody.
- Change your security questions.
- Don’t use the same password everywhere.
- Consider your rights and legal recourse.
- Watch your bank accounts and check your credit reports.
- Freeze your credit if you suspect that it has been breached.
- Consider identity theft protection services.
- Verify all requests for personal information and only provide it when there is a legitimate reason to do so.
- Do not disclose personal information such as passwords and PINs when asked to do so by anyone.
- Activate two-factor authentication on all your accounts where possible.