Johannesburg,
11
April
2022
|
14:02
Africa/Harare

Update: South Africa Cyber Incident

We are aware that a criminal third party has aggregated and is releasing data allegedly obtained from TransUnion South Africa and other sources, including at least 54 million records unrelated to TransUnion from prior data breaches dating back to 2017. With the help of outside experts, we are screening and reviewing this data as quickly as we are able to safely access it.

“We condemn this criminal behaviour”, said Lee Naik, CEO TransUnion South Africa. “The protection of affected individuals and businesses is a top priority, and we remain committed to assisting anyone whose information may have been illegally accessed from TransUnion South Africa.”

While we continue to investigate who has been impacted, we have provided a notification and answers to frequently asked questions (FAQs) on our website to assist consumers and businesses. Both of these resources are available at https://www.transunion.co.za/faq. TransUnion South Africa is providing information on how affected individuals and businesses can protect themselves, including free subscriptions to TransUnion’s tools to detect identity-related and business-related threats. For consumers, this includes free access to their personal credit reports and alerts up to 31 December 2023, and for businesses, this includes free access to their business credit reports up to 31 December 2023.

Where contact information is available, TransUnion is directly contacting by email or text the individuals and businesses we know to be impacted. If anyone is uncertain of a communication that appears to come from TransUnion, we recommend visiting our website instead by typing in the following web address: https://www.transunion.co.za/faq.

As always, please be vigilant of phishing attacks and remember that a TransUnion representative will never ask for your or your business’s banking details, bank PIN or user login password.

Based on our investigation to date, we believe that the incident impacted an isolated server holding limited data from our South African business. The criminal third party obtained access to a TransUnion South Africa server through misuse of an authorised client’s credentials. Immediately upon discovery of the incident, TransUnion South Africa suspended the client's access, engaged cybersecurity and forensic experts, and launched an investigation. We are working closely with South African regulators and law enforcement in South Africa and the US.

1.  What happened?

  • We are aware that a criminal third party has aggregated and is releasing data allegedly obtained from TransUnion South Africa and other sources, including at least 54 million records unrelated to TransUnion from prior data breaches dating back to 2017.
  • With the help of outside experts, we are screening and reviewing this data as quickly as we are able to safely access it.
  • The criminal third party obtained access to the TransUnion South Africa server through misuse of an authorised client’s credentials.
  • Immediately upon discovery of the incident, TransUnion South Africa suspended the client’s access, engaged cybersecurity and forensic experts, and launched an investigation.

2.  Was this a ransomware attack? 

  • This was not a ransomware attack.
  • A criminal third party obtained access to an isolated server of TransUnion South Africa through misuse of an authorised client’s credentials.
  • As a precautionary measure, TransUnion South Africa took certain elements of our services offline. These services have resumed.

3.  Has the threat actor extorted / demanded a ransom from TransUnion South Africa?

  • We have received an extortion demand and it will not be paid.

4. Why didn’t you comply with the threat actor’s demand in order to protect clients’ / consumers’ / businesses’ information? What is your corporate policy on paying ransom / extortion?

  • The security and protection of the information we hold is TransUnion’s top priority and we condemn this type of criminal behavior.
  • TransUnion believes that acceding to the criminal third party’s extortion demand would only provide them and other bad actors with an incentive to continue attacking consumers and extorting businesses.
  • TransUnion’s approach is aligned with best practice advice from government and third-party cybersecurity experts, who recommend not paying, particularly given the risk criminals may leak data anyway.
  • Our business ethics program permeates all of our lines of business, corporate functions and operational groups. Our culture emphasises legal and regulatory compliance, issue identification and escalation, and remediation.
  • The protection of affected individuals and businesses is a top priority, and we remain committed to assisting anyone whose information may have been illegally accessed from TransUnion South Africa.

5. How much and what type of data has been accessed / published by the threat actor?

  • We are aware that a criminal third party has aggregated and is releasing data allegedly obtained from TransUnion South Africa and other sources, including at least 54 million records unrelated to TransUnion from prior data breaches dating back to 2017.
  • With the help of outside experts, we are screening and reviewing this data as quickly as we are able to safely access it.
  • Based on our investigation to date, fields of information that may be affected for businesses include company registration number, TransUnion business reference number, business name, business type (public, sole proprietor, etc.), business address, business contact number, email address, business credit scores, industry sector classification code and description; principal ID number, principal name and surname, and principal position (director, trustee, representative, member, etc.). Each business may have a combination of different fields impacted, depending on what data was available.
  • Based on our investigation to date, fields of information that may be affected for consumers include name, ID number, date of birth, gender, telephone number, email address, address, marital status and information, identity of employer and duration of employment, vehicle finance contract number, and VIN (Vehicle Identification Numbers) numbers. In isolated circumstances, spouse information, passport numbers, credit or insurance scores may be impacted. Each consumer may have a combination of different fields impacted, depending on what data was available.

6.  Did 54 million records of South Africans get taken, as media are reporting?

  • Based on our investigation to date, we believe that the incident impacted an isolated server holding limited data from our South African business.
  • We believe that the 54 million records relate to a 2017 data incident unrelated to TransUnion.

7.  How many consumers and businesses have been affected?

  • We are aware that a criminal third party has aggregated and is releasing data allegedly obtained from TransUnion South Africa and other sources, including at least 54 million records unrelated to TransUnion from prior data breaches dating back to 2017.
  • With the help of outside experts, we are screening and reviewing this data as quickly as we are able to safely access it.
  • As our investigation has progressed, TransUnion South Africa can confirm at least 3 million consumers and 600,000 businesses were impacted by this incident.
  • We also identified an additional 6 million ID numbers where there was no personal information linked to the ID numbers. We have since managed to determine contact details for the majority of consumers these ID numbers belong to and have included these consumers in our wider notification work.
  • While we continue to investigate who has been impacted, we have provided a notification and answers to frequently asked questions (FAQs) on our website to assist consumers and businesses. Both of these resources are available at https://www.transunion.co.za/faq.
  • Where contact information is available, TransUnion is directly contacting by email or text the individuals and businesses we know to be impacted. If anyone is uncertain of a communication that appears to come from TransUnion, we recommend visiting our website instead by typing in the following web address: https://www.transunion.co.za/faq

8.  Has TransUnion South Africa notified clients?

  • We are engaging clients in South Africa about this incident.

9. Has TransUnion South Africa notified affected consumers and businesses? What is TransUnion South Africa doing to protect consumers and businesses? How can consumers and businesses protect themselves?

  • The protection of affected individuals and businesses is a top priority, and we remain committed to assisting anyone whose information may have been illegally accessed from TransUnion South Africa.
  • Our team continues to work closely with external experts to gain a comprehensive understanding of what data was affected.
  • While we continue to investigate who has been impacted, we have provided a notification and answers to frequently asked questions (FAQs) on our website to assist consumers and businesses. Both of these resources are available at https://www.transunion.co.za/faq.
  • Where contact information is available, TransUnion is directly contacting by email or text the individuals and businesses we know to be impacted. If anyone is uncertain of a communication that appears to come from TransUnion, we recommend visiting our website instead by typing in the following web address: https://www.transunion.co.za/faq
  • TransUnion South Africa is providing information on how affected individuals and businesses can protect themselves, including free subscriptions to TransUnion’s tools to detect identity-related and business-related threats. For consumers, this includes free access to their personal credit reports and alerts up to 31 December 2023, and for businesses, this includes free access to their business credit reports up to 31 December 2023.

10.  Which systems have been affected by this incident?

  • Based on our investigation to date, we believe the incident impacted an isolated server holding limited data from our South African business.
  • At this stage we do not have any evidence to suggest that any other systems were accessed.

11.  Which regions or countries are affected by this incident?

  • Based on our investigation to date, we believe the incident impacted an isolated server holding limited data from our South African business.
  • At present, we have no evidence to suggest this incident extends further than Africa.
  • We understand, at present, that affected data relates to South African consumers and businesses and a very limited number of non-South African citizens who have transacted in South Africa.

12. What are you doing to ensure this doesn’t happen again?

  • Our security and the protection of the information we hold are top priorities for TransUnion.
  • At TransUnion, we take our responsibility to safeguard the information we hold very seriously. We continuously look for ways to further strengthen our defences against unauthorised access of any kind to TransUnion systems or data.
  • These have included a number of additional security measures implemented across our IT infrastructure.
  • We have engaged a third-party expert to assess our security protocols.

13.  When will the investigation be completed?

  • Our team is working closely with external experts to conduct a thorough investigation, which takes time.
  • We regret we cannot provide further information now, but we want to ensure we provide accurate information.

14.  Have you notified the authorities and regulators of the incident?

We are working closely with South African regulators and law enforcement agencies in South Africa and the US.