TransUnion South Africa missed the Friday (March 25) deadline for paying a $15 million – around R220 million – ransom demanded by a group of hackers going under the name N4ughtySecTU, allegedly based in Brazil.
TransUnion says it will not pay the demand, adding that this was an extortion demand, not a ransomware attack. The hackers demanded $15 million in bitcoin.
The data breach occurred just over a week ago when the hackers obtained access to a TransUnion South Africa server through misuse of an authorised client’s credentials.
The company issued a statement over the weekend saying that it had suspended that client’s access and had appointed a world-leading forensic firm to lead the investigation.
“We are also working closely with South African regulators and law enforcement in South Africa and the US,” says the statement.
The hack is reportedly limited to an isolated server holding limited data from the SA branch of TransUnion.
The hackers are threatening to release data obtained from the hack, which includes at least 54 million client records apparently unrelated to TransUnion that were obtained from prior breaches going back to 2017.
The ID information on the 54 million South Africans is reckoned to be a Home Affairs database stored on the TransUnion server.
According to MyBroadband, also included in the breached data were the major banks and insurers, as well as several auto manufacturers.
Sidebar ‘insurance fee’ demands
While TransUnion has refused to pay the $15 million, the hackers have apparently demanded an insurance fee from the affected companies. Those who pay the fee will be safe when the hackers start releasing stolen data.
The group has threatened to release the personal information of politicians, judges, police and advocates, as well as their family members.
The ID numbers of President Cyril Ramaphosa, EFF leader Julius Malema, TransUnion CEO Lee Naik and others were released on a Telegram group chat last week. Also released were bank account numbers and vehicle registration details.
Fields of information that may be affected include name, ID number, date of birth, gender, contact details, marital status and information, identity of employer and duration of employment, vehicle finance contract number, and VIN (vehicle identity number) numbers.
In isolated circumstances, spouse information, passport numbers, credit or insurance scores may be impacted. Each data subject may have a combination of different fields impacted, depending on what data was available.
Clients urged to purchase ID protection
TransUnion says to prevent the kind of identity theft occasioned by the cyber attack, it is offering a free one-year subscription of TrueIdentity, which allows users to detect identity-related threats and recover from the consequences of ID theft. Thereafter, the cost of ID protection is R499 a year.
“When the free one year subscription to TrueIdentity lapses, we will provide you with a TrueCredit subscription until 31 December 2023. TrueCredit provides credit monitoring and credit alerts as well as monthly credit reports,” says the statement from TransUnion.
It remains to be seen how this goes down with clients whose data was stolen.
Reaching out to affected customers
TransUnion says where contact information is available, it is directly contacting known impacted individuals. “We are working incredibly hard to get notifications to consumers as soon as possible,” it says.
“As our investigation continues, our teams have been working alongside multiple regulatory, law enforcement and industry bodies to ensure we maintain as full and comprehensive an understanding of the potential impact on all of our consumers as possible.”
An investigation of this nature is likely to take several weeks and information will be shared with all law enforcement agencies to support their ongoing criminal investigation.
Echoes of Experian
Previously, credit bureau Experian suffered a hack where an estimated 24 million South Africans had their data compromised. In September 2021 it was announced that the Hawks had arrested a 36 year-old Gauteng suspect in the crime.
The South African Banking Risk Information Centre (Sabric) issued a statement saying no consumer credit or consumer financial information was obtained in the Experian breach. “Our investigations do not indicate that any misappropriated data has been used for fraudulent purposes.” The suspect intended to use the data to create marketing leads to offer insurance and credit-related services, and attempted to sell the data for R4.2 million.