The Association for Savings and Investment South Africa (Asisa) has cautioned policyholders and investors to expect an increase in phishing attempts and approaches from criminals impersonating representatives from life insurers and investment companies following the data breach at TransUnion South Africa last week.
On Thursday, TransUnion said one of its servers had been hacked “through misuse of an authorised client’s credentials. We have received an extortion demand, and it will not be paid.”
According to ITWeb, the ransom demand is $15 million (about R224m) in Bitcoin. TransUnion has neither confirmed nor denied that this amount is correct.
ITWeb reported that a group called N4aughtysecTU said it is responsible for the hack. It claims to have accessed about 54 million records, including data from more than 200 corporates.
TransUnion, however, has rejected the hackers’ claim that they have accessed 54 million records. It said, “the 54 million records relate to a 2017 data incident unrelated to TransUnion”, but it did not elaborate.
The hackers said they will expose the data or target TransUnion’s corporate clients if the ransom is not paid “in the next seven days”. (It is unclear from which the date the countdown began.)
Johann van Tonder, senior policy adviser at Asisa, said because a number of Asisa’s members use TransUnion’s credit verification services, there is “a high possibility” that the compromised information includes the personal details of South African policyholders and investors.
“While it appears that the client information obtained by the hackers is limited to names, contact details and identity numbers, we are concerned that this could be used by criminals to trick consumers into sharing account passwords.”
Van Tonder said no company will request a client to share passwords or one-time PIN codes telephonically, via text message or via email. He said companies will also never request clients to login to their accounts via unsolicited messages.
Van Tonder said Asisa was working closely with the South African Banking Risk Information Centre (Sabric) to assess the full impact of the data breach on consumers.
TransUnion working with law enforcement
In its statement, TransUnion said: “Immediately upon discovery of the incident, TransUnion South Africa suspended the client’s access, engaged cybersecurity and forensic experts, and launched an investigation.
“As a precautionary measure, TransUnion South Africa took certain elements of our services offline. These services have resumed.
“We believe the incident impacted an isolated server holding limited data from our South African business. We are working with law enforcement and regulators.
We are engaging clients in South Africa about this incident. As our investigation progresses, we will contact and assist individuals whose personal data may have been affected.
“While we investigate, we have made a general notification about the incident available to consumers on our website at https://www.transunion.co.za/customer-support/faq. We will be making identity protection products available to impacted consumers free of charge.”
TransUnion confirmed the data breach on 17 March. N4aughtysecTU told ITWeb (via Telegram) that they alerted the credit bureau of the hack the previous week, on 11 March.
The group, which said it is based in Brazil, claimed it breached TransUnion’s IT system as far back as 2012 without being detected.
N4aughtysecTU claimed it contacted TransUnion chief executive Lee Naik on his cellphone after finding his personal information in the company’s system.
Co-ordinated response by the banks
Sabric said in a statement on Saturday that TransUnion was working with the country’s banks to protect their clients’ bank accounts and personal data.
Sabric chief executive Nischal Mewalall said the organisation has engaged with TransUnion “with the aim to co-ordinate the banking industry’s efforts to secure bank customers’ profiles against abuse.
“South African banks take the security of their customer data very seriously and have put in place robust risk mitigation strategies to detect potential fraud on accounts and protect customer personal information as the investigation unfolds.”
Mewelall said that having access to people’s personal information did not guarantee the hackers access to customers’ banking profiles or accounts, but he warned that “criminals can use this information to impersonate people or trick them into disclosing their confidential banking details”.
Data subjects must be informed urgently, says regulator
The Information Regulator (IR) said it met with representatives from TransUnion on Saturday to discuss the data breach.
The Protection of Personal Information Act (Popia) requires all private or public bodies that have experienced a security compromise to inform the regulator and the affected parties following such an incident.
At the meeting between the chief executive of TransUnion South Africa and the regulator, the IR spelt out its expectations regarding the notification of affected data subjects, the regulator said in a statement.
The IR emphasised the need for affected data subjects to be informed early about any security compromise of their personal information so they can take the necessary preventative action against the wrongful use of their personal information.
The regulator said that TransUnion will, by 22 March, submit to the IR details about the number of parties affected by the breach and TransUnion’s plan to notify data subjects in terms of section 22 of Popia.
The IR said it has instructed TransUnion to report to it the date on which the security compromise occurred, the cause of the security compromise, details of investigations into the security compromise, the extent and materiality of the security compromise, interim measures put in place to prevent a recurrence of the security compromise, and the security measures that TransUnion has put in place to prevent a recurrence of the security compromise.
Second credit bureau to be hacked
TransUnion is the second credit bureau in South Africa to be hacked. A data breach at Experian in 2020 potentially exposed the information of 24 million South Africans and 793 749 businesses to a suspected fraudster.
In September last year, cybercriminals accessed the personal records of more than 1.4 million consumers and employees in a ransomware attack on the servers of Debt-IN Consultants, which provides debt recovery services to a number of financial services institutions.
In November, Standard Bank said homeowners’ personal information had been compromised in a data breach on its LookSee platform.