TransUnion, a credit reporting bureau, recently began notifying some consumers that their credit information had been obtained by an unauthorized person or persons. The access occurred when a threat actor illegally accessed a TransUnion website that allows businesses and other authorized entities to perform credit reviews and other financial operations with consent of the individual being investigated. This threat actor utilized the stolen credentials of this legitimate TransUnion business customer, allowing for access to consumer credit information. The incidents appear to be confined to Canadian citizens at this time. Concerned consumers should contact their IT department or Managed Service Provider (for corporate credit accounts and information) or reach out to TransUnion directly (for personal credit accounts and information) via their website: https://www.transunion.com/
Technical detail and additional information
What is the threat?
TransUnion Canada suffered an incursion, via stolen credentials, to their business access web portal. This portal is used by businesses in Canada to perform credit checks and reviews with the consent of the investigated party, but through this incursion allowed an unknown threat actor to gain access to this sensitive information without consumer consent or approval. Consumer credit data includes names, dates of birth, tax identification numbers, residence information, and credit history – sufficient information to commit identity theft and other illegal activities.
Why is this noteworthy?
Unlike most credit information exfiltrations, this attack did not breach databases or other secure systems of TransUnion directly. Instead, credentials held by a legitimate business account holder were stolen and utilized to access the standard business web portal. As no additional precautions appear to have been in place in place (Multi-Factor Authentication, etc.), the credentials alone allowed for the threat actor to gain full access to all information and services that were accessible by the legitimate business user.
What is the exposure or risk?
TransUnion has not revealed how many people and businesses were affected by the breach but did state that they were made aware of the incident in August and that the attacker had performed credit lookups between June 28th and July 11th. In that time, anybusiness or individual that has information stored in the database could have had their information searched for and compromised. It should be noted that TransUnion is one of the largest credit reporting agencies, and therefore has databases which contain information on a massive amount of consumers, equal to Equifax or Experian. While this exfiltration appears to be limited to the TransUnion Canada business unit, a recent breach of Equifax included information on over 145 million consumers. As credit records include highly sensitive information such as tax identification numbers and dates of birth; it is possible that this information will be used to commit identity fraud and other threat activities.
What are the recommendations?
TransUnion Canada began sending out data security incident notifications via postal mail to consumers whose information was accessed via an unauthorized login. Credit reporting information includes full names, birth dates, tax identification numbers, residence history and current residence information, bank identity and in some cases account numbers, credit card numbers with history and credit limit information, and many more data points. Note also that consumers may not realize that TransUnion holds this information, as consumers do not traditionally do business with TransUnion directly, but rather interact with banks and credit card companies who in turn use TransUnion and report information into TransUnion. Any consumer who receives a notification should sign up for credit monitoring services (TransUnion is offering free services for impacted individuals) and watch all bank, loan, and credit accounts closely to ensure no anomalies occur.
For more in-depth information about the recommendations, please visit the following link:
If you have any questions, please contact our Security Operations Center.