Credit bureau TransUnion SA has refused to pay a $15m (R224m) ransom to hackers who stole sensitive consumer data, even after the hacking group ramped up demands, went to the media to embarrass the US-based bureau and approached its banking clients with ransom demands.
The hackers, who call themselves N4ughtySecTU, say they will leak the sensitive credit information only if they are not paid. But the breach could result in fraudulent attempts by criminals to impersonate banking officials and trick consumers into handing over banking PINs.
The hack was first revealed by ITWeb, and TransUnion confirmed on Thursday that hackers had acquired access to an SA server.
The company said it is still working out what local data has been stolen. The hackers say they have 28-million credit records and 54-million identity numbers. TransUnion believes the 54-million number relates to a 2017 hacking incident of an SA government website.
TransUnion is a consumer credit company that operates in more than 30 countries, providing credit information to banks, insurers and car financers.
TransUnion has said repeatedly that it will not pay criminals who are trying to extort money.
TransUnion and the SA banks initially said the hack only allowed the hackers access to email and physical addresses, contact information and identity numbers. But some of the hacked data is up-to-date credit information. On Saturday, this journalist was sent her February Telkom contract bill and latest mortgage and car repayment statements by the hackers as well as her credit card limit and new physical address.
The TransUnion SA statement was updated on Monday to say the affected data may include some “credit scores”.
The newly appointed information regulator, set up under the Protection of Personal Information Act (Popia) can fine TransUnion for the breach, with the act permitting a maximum fine of R10m. The regulator has asked the bureau what data has been leaked, the implications of the leak, who is affected and what plans there are to notify consumers who have been affected.
“TransUnion says it is working with the information regulator at this stage, but this doesn’t absolve them from shoddy cybersecurity practices,” said Bryan Turner, data analyst at World Wide Worx, an SA technology consulting firm.
The hackers’ attempt to speak to the media could suggest increasing desperation and an attempt to embarrass TransUnion or its banking and insurance clients such as Absa, Standard Bank, Mutual & Federal and Alexander Forbes to pay out.
They say to have approached TransUnion banking clients and motor vehicle companies that have finance divisions like Volkswagen for “insurance fees” to protect their specific customers’ data.
Turner said: “Banks, car financiers and insurance companies are affected because they feed customer data into TransUnion to get more info back”. He said the hack may cause “an overflow of reputational damage for TransUnion’s partners”.
The banks have referred queries to the SA Banking and Risk Information Centre (Sabric), which admitted only that the personal information obtained could include names and ID numbers. Sabric’s statement said the data leaked does not allow access into private bank accounts but can be used by fraudsters to trick consumers.
TransUnion may find it impossible to pay the money demanded. The US Foreign Corrupt Practices Act prevents US companies from paying fines to foreign government officials.
It is not known who the N4ughtySecTU hackers are or if they potentially have links to a government.
Banks, Sabric and TransUnion urged consumers to never release password and PIN data to anyone on the phone and not to follow links to banking sites from emails.
In 2020, credit bureau Experian suffered a hack in which about 24-million SA customer records were exposed and some data shared on the internet, while last year Standard Bank and property data and valuation group Lightstone suffered data breaches.
Update: March 21 2022
This story has been updated with additional information.
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.