How a Hacker Breached the TransUnion Canada Website

Journal of CyberPolicy and Information Security Buzz, October 8. 2019, with comments by Satya Gupta

A hacker illegally stole and used a customer’s login credentials to access the TransUnion web portal. They then used this access to pull consumer credit files of up to 37,000 Canadians. The breach took place between June 28 and July 29 this year. The stolen credentials belonged to a legitimate customer.

The sensitive data that was compromised is normally accessible remotely through a VPN client or corporate device that relies on authentication for user identification and tracking.

TransUnion Sending Breach Notification Letters to Customers

TransUnion Canada has begun notifying customers via letters, explaining that their data was accessed by the unauthorized login during specific dates last summer. The unauthorized user who got into the business portal was able to look up their credit files.

From the letter:

"Trans Union of Canada, Inc ("TransUnion") is writing to let you know about a data security incident. Our customer, CWB National Leasing Inc.'s ("CWB National Leasing"), has advised us that their access code to TransUnion systems may have been misappropriated and used to access information about you without authorization. Upon becoming aware of the incident, TransUnion commenced an investigation.

By way of background, TransUnion operates a portal through which our business customers can retrieve consumer credit files for permitted purposes. An unidentified person illegal obtained CWB National Leasing's access code and password to the portal, which has permitted access to some of TransUnion's credit file information between approximately June 28 and July 11, 2019. TransUnion has confirmed that the login credentials were terminated."

Sensitive Credit Data Stolen from 37,000 Canadian Customers

Once in the portal, the hacker used consumer’s names, addresses, DOBs, or Social Security Numbers to run credit searches. If done correctly, a credit file would reveal the consumer’s information, including name, DOB, current and past addresses, and other related information such as loans, debts owed, and payment history.

Actual numbers would not be part of this report. However, there was more than enough in the report for the hacker to use for identity theft. Impacted consumers should react accordingly by monitoring their credit for any fraudulent activity.

Satya Gupta, co-founder and CTO of Virsec told CyberPolicy and Information Security Buzz:

“Given the high likelihood that many users will reuse passwords across multiple services, techniques like credential stuffing can easily provide access to thousands of user accounts. Compromising a credit reporting account can open up even more sensitive personal data that is quickly sold to other attackers.

At a minimum, end-users should immediately implement strong passwords and multi-factor authentication. But restoring the privacy of data that has already leaked is almost impossible.”


Further resources:

Oregon Dept of Human Services (DHS)

Capital One Experiences Third Largest Financial Hack from AWS Insider

White Paper: Making Applications Truly Self-Defending

Data Breach Self-Protection Guide