TransUnion South Africa has disclosed that hackers breached one of their servers using stolen credentials and demanded a ransom payment not to release stolen data.
The African division of TransUnion operates in eight African countries offering commercial and consumer insurance and risk information solutions across various industries.
According to the company’s statement, an unauthorized person obtained access to a server based in South Africa using stolen credentials.
The system infiltrator appears to have exfiltrated data stored in that server and then extorted TransUnion by demanding a ransom payment for not publishing the stolen files. The company has noted it will not pay the hacker.
TransUnion South Africa says they have engaged with cybersecurity experts and digital forensic experts to investigate the incident. They are also working with law enforcement and the country’s regulators.
Finally, TransUnion believes the breached server only contains information relevant to the South African business, so those in Botswana, Kenya, Namibia, Rwanda, Swaziland, Zambia, and Malawi are not impacted by this incident.
“As our investigation progresses, we will notify and assist individuals whose personal data may have been affected. We will be making identity protection products available to impacted consumers free of charge,” TransUnion South Africa said in a statement regarding the data breach.
Brazilian hackers claim responsibility
A Brazilian hacking group known as “N4ughtysecTU” has claimed responsibility for the attack and told BleepingComputer that they downloaded 4TB of data during the cyberattack.
The threat actors claim to have breached a poorly secured TransUnion SFTP server and stolen data containing roughly 54 million customers, mainly from South Africa. Still, records from other countries are included in the stolen data as well.
The “N4ughtysecTu” threat actor also told us they didn’t steal any user credentials but performed a brute force attack on the SFTP server. The account they ultimately breached was allegedly using the password “Password”, so it was quick and straightforward to brute-force.
A NordVPN report places “password” as the fifth most commonly used password in 2021, taking less than a second to brute-force.
Additionally, the hackers told Bleeping Computer they set the ransom demand to $15,000,000 in Bitcoin and threatened to extort TransUnion’s customers by demanding an “insurance” payment if a ransom was not paid.
The hacking group states that the “insurance” for large TransUnion clients will be $1,000,000, while smaller businesses will have a smaller $100,000 demand.
Those who pay this insurance will allegedly have their dataset excluded from publication by the hacking group.
If you are a TransUnion customer in South Africa, it is strongly advised to remain calm and report any suspicious unsolicited communications to the authorities.
For companies considering paying an extortion demand, ransomware negotiation firm Coveware says it is not uncommon for threat actors to leak stolen data after a ransom was paid or even re-extort a victim using the same data in the future.
Instead, Coveware advises breached companies to automatically assume that their data has been shared among multiple threat actors and that it will be used or leaked in some manner in the future, regardless of whether they paid.
Lee Naik, CEO of TransUnion South Africa, is also reassuring customers that they will assist any companies whose data was stolen during the attack.
“The security and protection of the information we hold is TransUnion’s top priority,” said Naik in a press statement. “We understand that situations like this can be unsettling and TransUnion South Africa remains committed to assisting anyone whose information may have been affected.”
Source: www.bleepingcomputer.com