TransUnion says at least three million people affected by data breach

27 March 2022 - 12:28
TransUnion said access was gained to a server through misuse of an authorised client’s credentials. Stock photo.
Image: 123RF/nexusplexus TransUnion said access was gained to a server through misuse of an authorised client’s credentials. Stock photo.

Credit bureau TransUnion SA has confirmed that at least three million consumers are affected by a data breach orchestrated by a “criminal third party” which gained access to a server “through misuse of an authorised client’s credentials”.

International hackers claimed to possess the personal information of millions of South Africans after breaching TransUnion’s database, with the company refusing to pay the R222m being demanded, Sunday Times Daily reported on Friday. Some of the information was being leaked as proof “samples”.

TransUnion said in an update on Saturday that a “criminal third party” had “aggregated and is releasing data allegedly obtained from TransUnion SA and other sources, including at least 54 million records unrelated to TransUnion from prior data breaches dating back to 2017. With the help of outside experts, we are screening and reviewing this data as quickly as we are able to safely access it.”

“We condemn this criminal behaviour”, said Lee Naik, CEO TransUnion SA.

“The protection of affected individuals is a top priority, and we remain committed to assisting anyone whose information may have been illegally accessed from TransUnion SA.”

The credit bureau said access was gained to a server through misuse of an authorised client’s credentials. Upon discovery of the incident, TransUnion SA suspended the client’s access, engaged cybersecurity and forensic experts and launched an investigation.

“At this time TransUnion SA can confirm at least three million impacted consumers. We have identified an additional six million ID numbers where there is no personal information linked to the ID numbers that would enable us to identify the impacted consumers or to communicate with them directly at this stage. We continue to work diligently to determine whether these ID numbers can be linked to other personal information to identify any additional impacted consumers,” the company said in a statement.

“Based on our investigation to date, fields of information that may be affected include name, ID number, date of birth, gender, contact details, marital status and information, identity of employer and duration of employment, vehicle finance contract number, and VIN numbers. In isolated circumstances, spouse information, passport numbers, credit or insurance scores may be impacted. Each data subject may have a combination of different fields impacted, depending on what data was available.”

TransUnion said it had provided a notification and answers to frequently asked questions (FAQs) on its website to assist consumers. Both of the resources are available here.

“TransUnion SA is providing information on how affected individuals can protect themselves, including a free annual subscription to TransUnion’s tools to detect identity-related threats, as well as free access to their credit report and alerts up to December 31 2023.”

A breach of credit bureau Experian in 2020 exposed the personal information of as many as 24 million South Africans and 793,749 business entities to a suspected fraudster, and, according to the SA Fraud Prevention Service (SAFPS), led to a huge spike in impersonation fraud.


Support independent journalism by subscribing to the Sunday Times. Just R20 for the first month.