Attackers threaten to leak every South African’s private financial data — unless TransUnion and Experian pay R1.1 billion
Attackers professing to be from N4ughtySec, a cyber extortion gang that claimed responsibility for an attack on TransUnion in March 2022, have announced they “never left” South Africa.
The group said they have had constant access to credit bureaus TransUnion and Experian’s systems and would leak all the data they hold on clients after their extortion demands weren’t met.
“The firestorm has commenced,” they claimed.
TimesLive reports that “Na4ughtySec” demanded separate ransoms of $30 million (R563 million) from Experian and TransUnion.
TransUnion and Experian confirmed the demands, and both disputed the group’s claims of an ongoing hack on their systems.
Both said they investigated the group’s claims and could find no evidence that data had been inappropriately accessed or exfiltrated.
There are reasons to be suspicious of this extortion group’s claims.
For one, they misspelt their own name in the Gmail account they used to contact journalists and executives from TransUnion and Experian.
The name on the email is “N4AUGHTYSEC”, and the email address [email protected]. There should be no “a” after the “4”, as the numeral “4” replaces the alphabet character “a” in Internet leetspeak (also stylised 1337 speak).
The email it sent earlier today is reproduced below, with links redacted.
HELLO SOUTH AFRICA
THE N4AUGHTYSEC GROUP CONTINUES ITS MISSION. WE HAVE HARVESTED ALL OF TRANSUNIONS AND EXPERIANS DATA FILES AND SYSTEMS AS WELL AS ITS CLIENTS DATA FILES AND SYSTEMS. WE ARE ACTIVELY INSIDE THE IT NETWORKS OF TRANSUNION AND EXPERIAN AND ITS CLIENT’S. WE HAVE REMAINED SILENT SINCE OUR LAST DEMANDS WERE NOT MET. WE NEVER LEFT.
FURTHER DEMANDS WERE NOT MET. WE WILL NOW LEAK ALL DATA AND FILES OVER THE NEXT 72 HOURS. THE FIRESTORM HAS COMMENCED.
PLEASE WATCH THE SHOW ONLINE AND IN THE NEWS. WE WILL POST ALL FILES ON THE DARK WEB AND PUBLIC FACING PLATFORMS.
OUR TEAM AND COMMUNITIES ARE ACTIVELY TARGETING ALL HARVESTED DATA AND SYSTEMS. YOUR PURE ARROGANCE AND WEAK SECURITY SYSTEMS WILL NOW BE YOUR ULTIMATE DOWNFALL. LETS NOT FORGET. TRANSUNIONS PASSWORD WAS PASSWORD FOR THE LAST 8 YEARS. LETS NOT FORGET EXPERIANS WEAK SYSTEMS.
WE HAVE INFILTRATED YOUR SOUTH AFRICA N GOVERNMENT DEPARTMENTS VIA YOUR BACK-END. THE FIRESTORM WILL SOON REVEAL ALL.
ENJOY YOUR MEETINGS AND YEAR END LUNCH.
THE N4AUGHTYSEC GROUP WISHES YOU A MERRY CHRISTMAS.
[list of random Telegram channels and GetSession.org details redacted]
YOU WERE WARNED
você pagará pelos seus pecados
In March 2022, a group calling itself N4ughtysecTU claimed responsibility for a ransomware attack on TransUnion.
In an interview with MyBroadband, a spokesperson for the group said, “We got in via user and then to all files on there server’s [sic].”
They said the user’s password was “password”.
TransUnion said at least 3 million South African customers’ details were impacted.
A further 6 million ID numbers were exposed but not linked to other personal information.
TransUnion refused to pay a ransom of $ 15 million (R224 million at the time) to prevent the data from being leaked online.
While the attackers alleged they exfiltrated 4TB of data and the records of 54 million South Africans, TransUnion disputed that this leaked Home Affairs data came from its servers.
The credit bureau said the attackers had obtained it from an earlier breach.
Two years prior, Experian suffered a data breach that was first reported by the South African Banking Risk Centre (Sabric).
The incident exposed as many as 24 million South Africans and nearly 794,000 business entities when Karabo Phungula obtained the dataset under false pretences.
It later emerged that Phungula had stolen the identity document of a businessman who had access to the service’s database and fraudulently extracted the information in May 2020.
Phungula allegedly wanted to sell the data for R4 million. He was arrested about a year later.
In March 2023, the Specialised Commercial Crimes Court in Palm Ridge sentenced Phungula to 15 years in prison for fraud and violation of the Electronic Communications and Transactions Act.