Late last week, with the long weekend bearing down on us, news broke that TransUnion Africa — one of the country’s biggest possessors and processors of personal and financial data — had fallen victim to a cyberattack that may leave the personal details of 54-million South Africans exposed.
The group claiming responsibility for the breach goes by N4ughtySec, but you may see this reported as N4ughtySecTU in some stories. I assume the addition of the last two letters relates specifically to TransUnion, which uses TU in its branding. N4ughtySec does keep busy so this kind of differentiation seems pretty practical.
Busy, yes, and chatty. Members of the group told ITWeb in a discussion via the Telegram platform that they had exfiltrated more than four terabytes of customer information as early as March 11, including information from 200 corporates and the data records of 54-million people. They also said they had demanded a ransom of $15m in bitcoin — with a deadline of March 25.
The real kicker (or kick in the teeth) is that N4ughtySec claims its route to unlock said treasure trove was a “simple brute force attack” on a file server, using a poorly protected TransUnion client login. How poorly protected? The group claims — emphasis on “claim” — the password in this case was merely “password”.
As SA tech publication MyBroadband has reported, N4ughtySecTU has also since “posted the ID numbers of Julius Malema, and Cyril Ramaphosa and his wife, to a public group chat on Telegram”. Additionally, in a private chat with MyBroadband, members of the group shared what they claimed were the personal details of TransUnion Africa CEO Lee Naik and information regulator chair Pansy Tlakula.
However, when reached for comment Tlakula disputed their veracity — at least as it applies to her own information — saying she “doesn’t recognise the bank accounts or vehicle licence plate numbers” provided.
For its part, TransUnion has confirmed some of this in its own website updates and in emails to clients that have made their winding way into the hands of various reporters. The forward function on email remains a godsend for reporters, but corporate communications managers at TransUnion are likely to be less enamoured with it right now. They’ve also promised to make their alert functionality — the one that tells you when someone tries to open an account in your name — freely available to any affected credit consumer.
TransUnion’s version of events differs from N4ughtySec’s on several key points. First, TransUnion says the breach was limited to “an isolated server holding limited data”. It disputes the 54-million records claim, saying it believes this relates to a 2017 data incident “unrelated to TransUnion”.
I’ve not seen it confirmed, but if we cast our minds back to 2017 an obvious example springs to mind: the “masterdeeds” breach exposed by information security researcher Troy Hunt, who runs HaveIbeenPwned.com, where you can check your own data exposures. In that instance, Hunt found records relating to 30-million South Africans.
TransUnion also states that no ransomware was involved, saying: “A criminal third party obtained access to a TransUnion SA server through misuse of an authorised client’s credentials. We have received an extortion demand and it will not be paid.” It does admit, though, that an authorised client’s login credentials were used to gain access to the local server, but this is still being investigated.
Don’t hold your breath for confirmation that the offending password was “password”. If it was — and it seems inconceivable to me — that’s money in the regulator’s pocket, right there. Even if Tlakula’s own name hadn’t been dragged into this by the Chatty Cathy Hacker on Telegram, you know the information regulator body will be all over this thing.
Data breaches are achingly common these days, but the stakes are particularly high when it’s a credit union being hacked. Like your banking provider, there’s little a credit union doesn’t know about you if you’re in the system. And from what they do know — your ID number, phone number, address and so on — it’s not hard to imagine how bad actors could use that info, together with basic social engineering, to get anything further they don’t have.
In 2020, another major credit union, Experian, was cracked open by someone pretending to be a legitimate client. In that instance the data of about 24-million South Africans was exposed. This story reared its ugly head again in late 2021 when information from that breach was shared again, this time on Telegram.
Today, as the news cycle spins, there are claims and counterclaims from victims and perpetrators, a string of enormous breaches piling up in the Google search results, exaggerations and obfuscations from parties, and a newish regulator looking to prove its mettle after the long gap between legal concept to functioning body.
We’re weeks or months from knowing what really happened, and which — if any — corporate entity will face a hefty fine from the regulator. Its lawyers will be gearing up to fight back already, I imagine. Sometimes it seems that all that stands between us and rampant identity fraud is a single user with a lack of imagination or the technical know-how to use a password generator.
• Thompson Davy, a freelance journalist, is an impactAFRICA fellow and WanaData member.
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.