TransUnion is directly contacting the individuals whose personal information it knows has been impacted by the hack reported over a week ago. This comes after the Information Regulator (IR) expressed its dissatisfaction with how the credit bureau was handling the incident.
The IR told TransUnion to use “all radio stations, broadcasting in each official language, publish in all newspapers and drive communication on various social media platforms to provide sufficient notification to data subjects about this security compromise”.
Section 22 of the Protection of Personal Information Act (Popia) empowers the regulator to direct a responsible party to publicise, “in any manner specified”, any information that will protect data subjects who may be affected by a security compromise.
A hacking group calling itself N4aughtysecTU claims to have accessed about 54 million records, including data from more than 200 corporates.
On 26 March, TransUnion confirmed that at least three million consumers have been impacted by the hack. It said the 54 million records were the result of data breaches unrelated to TransUnion dating back to 2017.
There is speculation that this may be referring to the massive breach of Department of Home Affairs data in October 2017.
An additional six million identity numbers have been compromised, but because no personal information was linked to these numbers, TransUnion said it could not identify the affected consumers or communicate with them directly.
“We continue to work diligently to determine whether these ID numbers can be linked to other personal information to identify any additional impacted consumers.”
TransUnion said the hackers have aggregated and were releasing the data “allegedly obtained” from it and other sources, including at the 54 million records.
“With the help of outside experts, we are screening and reviewing this data as quickly as we are able to safely access it.”
Deadline to pay the ransom has expired
The deadline for TransUnion to pay the ransom of $15 million (about R219m) in Bitcoin has come and gone.
TransUnion has refused to pay the ransom, saying doing so would only provide them and other hackers with an incentive to continue attacking consumers and extorting businesses.
“TransUnion’s approach is aligned with best practice advice from government and third-party cybersecurity experts, who recommend not paying, particularly given the risk criminals may leak data anyway,” it said.
TransUnion said its investigation had found that the type of personal information that “might have been compromised” included the consumer’s name, identity number, date of birth, gender, contact details, marital status and information, identity of employer and duration of employment, vehicle finance contract number, and vehicle identification number.
“In isolated circumstances, spouse information, passport numbers, credit or insurance scores may be impacted. Each data subject may have a combination of different fields impacted, depending on what data was available.”
What the Information Regulator wants
In a statement on 25 March, the IR expressed “continued dissatisfaction with the security compromise notification submitted by TransUnion, following the instructions given to the credit bureau on 19 March, when the regulator called on TransUnion to explain the circumstances of the security compromise it experienced”.
It said the notification did not provide sufficient details or remedy to the millions of data subjects whose personal information has been compromised.
“It omits critical information that provides assurance on how the matter is managed. The report neither provides detail on how the credit bureau will mitigate the subsequent risks nor information on how the credit bureau will remedy this crisis. This leaves the regulator extremely concerned regarding the adequacy of safeguards at TransUnion for the protection of personal information as is required in terms of Popia,” the IR said.
The regulator further directed TransUnion to provide it with:
- A detailed description of the possible consequences of the security compromise and its impact on data subjects.
- Advice and recommendations on the measures to be taken by the data subjects to mitigate the potential adverse effects of the security compromise; and
- A description of the measures TransUnion intends to take or has taken to address the security compromise.
The IR said that, following an assessment of the contents of the credit bureau’s security compromise notification, and the extent and severity of the security compromise, it will investigate the appropriateness of TransUnion’s measures to protect the personal information it possesses or controls.
The regulator has subsequently written to the credit bureau and expects a response by 1 April.
The IR has expressed its concern about TransUnion’s approach to ensuring that the affected data subjects’ personal information is protected and that the hackers do not make further use of it.
“The regulator has asked TransUnion to provide it with confirmation that a criminal case has been opened with the SAPS, in terms of the Cybercrimes Act. If no criminal case has been opened, the regulator has requested reasons for the delay in doing so,” it said.