Hackers with access to 54 million personal records demand R224m ransom from TransUnion SA

Credit reporting agency TransUnion South Africa has been hacked, with the hackers claiming they have accessed 54 million personal records of South Africans.

In a statement on Thursday, TransUnion South Africa said its server was accessed by a “criminal third party”.

It did this through the misuse of an authorised client’s credentials.

The hacker group reportedly gained access to four terabytes of data and is demanding a ransom of $15 million (about R223 million).

The hackers, N4aughtysecTU, claim to be from Brazil.

TransUnion South Africa is the South African division of the US-based consumer credit bureau.

It says it will not give in to the hackers’ demands.

Ransom will not be paid

“We have received an extortion demand and it will not be paid,” the agency said in its statement.

ALSO READ: Standard Bank: Victims of data breach must ‘keep a close eye on bank statements’

According to MyBroadband, the leaked data may include client’s contact information, such as telephone numbers, email addresses, identity numbers, and physical addresses.

“The security and protection of the information we hold is TransUnion’s top priority,” said Lee Naik, CEO of TransUnion South Africa.

“We understand that situations like this can be unsettling and TransUnion South Africa remains committed to assisting anyone whose information may have been affected.”

‼️ Bigger than Experian. The hacker groups says it has 54 million personal records of South Africans including credit scores, banking details and ID numbers.

So weak were the IT systems that the password TransUnion used was the word “Password” 🤯 https://t.co/mSfda8k3wh

— Nafisa Akabor (@nafisa1) March 18, 2022

Weak password

In a tweet, technology expert Nafisa Akabor claimed that the agency, which holds the data of millions of South Africans, used the word “Password” as its password.

She also said the data breach is bigger than the one that occurred at credit bureau Experian in August 2020.

Experian

In September 2021, the Hawks arrested a 36-year-old suspect in Gauteng following the massive data breach at Experian in August 2020.

At the time, Hawks spokesperson Colonel Katlego Mogale said Experian allegedly entered into a contract with the suspect, who posed as a director of Talis Holdings requesting services from them. 

This gave the suspect access to the personal information of millions of people. 

“The suspect then proceeded to download approximately 23 million personal data records and 727,000 business records. The suspect then attempted to sell these records at about R4.2 million,” Mogale said.

ALSO READ: Hawks arrest suspect for massive Experian data breach

Extra protection

Manie van Schalkwyk, CEO of the Southern African Fraud Prevention Service (SAFPS), said the data breach is proof that every company that holds personal information is a target.

“The consumer desperately needs an extra layer of protection on their identity against criminals who will turn their lives upside down without a second thought,” said Van Schalkwyk.

He said it is estimated that 17 billion cyber attacks take place around the world every day. Not all are successful though.