Johannesburg,
01
June
2022
|
12:30
Africa/Harare

Update: South Africa Cyber Incident

Following the recent incident where a criminal third-party obtained access to an isolated TransUnion South Africa server, we are able to provide an update from our investigation. Our understanding is that data relating to 5 million consumers was potentially affected by the incident with a further 5.2 million consumers having had only ID numbers affected with no personal information linked to the ID number. For businesses, a total of 600,000 organisations were potentially affected by the incident. Where contact information was available, we directly contacted individuals and businesses who we knew to be affected via email or text.

 

TransUnion South Africa also provided information on how affected individuals and businesses can protect themselves, including free subscriptions to TransUnion’s tools to detect identity-related and business-related threats. For consumers, this included free access to their personal credit reports and alerts up to 31 December 2023, and for businesses, this included free access to their business credit reports up to 31 December 2023.

 

As ever, we encourage businesses and consumers to please remain vigilant of phishing attacks. Remember that a TransUnion representative will never ask for your personal or your business’ banking details, bank PIN or user login password.

 

Alongside our investigation, we have reviewed and evaluated our systems and processes to ensure we have the highest standards of security in place across all of our operations. 

 

TransUnion South Africa believes responsible data stewardship is fundamental to our mission. We continue to work closely with regulators and law enforcement bodies, and we are consulting key industry and trade associations in our continuous efforts to evolve our security posture and ensure high security and privacy standards.

 

1. What has the investigation revealed?

 

TransUnion South Africa continues to work alongside multiple regulatory, law enforcement and industry bodies to ensure we maintain as full and comprehensive an understanding of the impact on consumers, businesses and suppliers as possible. Alongside these agencies, our investigation was also supported by external industry security experts. 

 

Our investigation has shown that data relating to 5 million consumers was potentially affected by the incident with a further 5.2 million consumers having had only ID numbers affected with no personal information linked to the ID number. For businesses, a total of 600,000 organisations were potentially affected by the incident.

 

The 54 million records claimed by the criminal third-party was unrelated to TransUnion and from separate data breaches dating back to 2017.

 

Fields of information that were affected for businesses may have included company registration number, TransUnion business reference number, business name, business type (public, sole proprietor, etc.), business address, business contact number, email address, business credit scores, industry sector classification code and description; principal ID number, principal name and surname, and principal position (director, trustee, representative, member, etc.). Each business may have a combination of different fields impacted, depending on what data was available.

 

For the 5 million consumers whose data was potentially affected, this may have included the following fields of information: name, ID number, date of birth, gender, telephone number, email address, address, marital status and information, identity of employer and duration of employment, vehicle finance contract number, and VIN (Vehicle Identification Numbers) numbers. In isolated circumstances, spouse information, passport numbers, credit or insurance scores may be impacted. Each consumer may have had a combination of different fields affected, depending on what data was available. For the remaining 5.2 million consumers who had only ID numbers affected, we have identified contact details for the majority of these consumers and have notified them.

 

Where contact information was available, TransUnion directly contacted (by email or text) the individuals and businesses who were known to be affected. If anyone is uncertain of a communication that appears to come from TransUnion, we recommend visiting our website instead by typing in the following web address: https://www.transunion.co.za/faq.

 

2. What is TransUnion South Africa doing to protect consumers and businesses? How can consumers and businesses protect themselves?

 

The protection of affected individuals and businesses is a top priority, and we remain committed to assisting anyone whose information may have been illegally accessed from TransUnion South Africa.

 

Where contact information was available, TransUnion directly contacted (by email or text) the individuals and businesses who were known to be affected. If anyone is uncertain of a communication that appears to come from TransUnion, we recommend visiting our website instead by typing in the following web address: https://www.transunion.co.za/faq.

 

Throughout the course of our investigation, we have provided a notification and answers to frequently asked questions (FAQs) on our website to assist consumers and businesses. Both of these resources remain available at https://www.transunion.co.za/faq.

 

TransUnion South Africa provided information on how affected individuals and businesses can protect themselves, including free subscriptions to TransUnion’s tools to detect identity-related and business-related threats. For consumers, this included free access to their personal credit reports and alerts up to 31 December 2023, and for businesses, this included free access to their business credit reports up to 31 December 2023.