Credit Reporting Agency TransUnion Data Breach Exposes More Than 4.4 Million Americans’ Sensitive Information

TransUnion disclosed that a recent hack involving a third party resulted in the exposure of more than 4.4 million people’s highly sensitive data.

The U.S. consumer credit reporting agency sent letters out to affected customers in late August, as well as the office of Maine’s attorney general, which posted a copy of the letter on its website. Maine legally requires that companies disclose certain kinds of breaches if an incident impacts its residents, according to Reuters.

The 28 July data breach impacted 4,461,511 of TransUnion customers’ personal information, which “did not include credit reports or core credit information,” according to the letter, but did include names, dates of birth, and Social Security information, as listed in a breach report submitted to the Texas attorney general.  The breach was discovered on 30 July.

“Unfortunately, TransUnion and other reporting organizations—and all third parties interacting with them—need to maintain the utmost security posture and resilience in the face of exhaustive targeting, both due to the high profile they have and their dataset’s importance,” Lawrence Pingree, technology evangelist for Dispersive, said in an emailed statement.

While TransUnion did not disclose the name of the third-party application linked to the breach, other U.S. organizations have recently seen similar hacks linked to Salesforce apps, including Adidas, Air France-KLM, Cisco, Farmers Insurance, Google, Louis Vuitton, Tiffany & Co., Workday, and more.

What makes the TransUnion breach more serious and places victims at greater risk than in the previous attacks is the exposure of Social Security numbers (SSNs) and contact and support data, according to Cory Michal, chief security officer for AppOmni.

“While most of the previous attacks have exposed sensitive but less critical information, the compromise of SSNs creates far greater potential for identity theft, financial fraud, and long-term misuse of personal data. That elevates the impact of the TransUnion breach well above other recent disclosures, even if the number of affected individuals is smaller,” Michal said in an emailed statement to Security Management.

In most of the other hacks, attackers exploited third-party integrations or OAuth-connected apps disguised as legitimate Salesforce tools to siphon sensitive records, Fox News reported. This allowed the attackers to gain long-lasting access to customer relationship management data.

Experts said that the activity in these attacks indicates that the extortion group ShinyHunters is likely responsible, while other aspects—such as codified serial file names—could mean that the attacks are part of a larger extortion-as-a-service effort, where individuals or groups of hackers coordinate and share stolen data.

Information security and technology news organization Bleeping Computer “confirmed with two sources, including ShinyHunters, that TransUnion’s data breach is linked to these Salesforce attacks. …A sample of the stolen data shared with Bleeping Computer contains quite a lot of sensitive personal information, including names, billing addresses, phone numbers, email addresses, dates of birth, and unredacted Social Security numbers of TransUnion customers.”

The bureau, which tracks and stores the financial data of more than 260 million Americans, is offering any impacted customers access to credit monitoring services and identity theft protection for free for 2 years from the date of enrollment.

At least one law firm has begun investigating the breach, potentially leading to another class action lawsuit against TransUnion.