[BreachExchange] TransUnion South Africa hacked; attackers say password was ‘password’

[Terrell Byrd]

https://www.americanbanker.com/news/transunion-south-africa-hacked-by-threat-actor-n4ughtysectu

Hackers say a password set to “password” compromised a TransUnion South
Africa server in a data leak they claim includes millions of personal
records.

TransUnion confirmed the security incident but did not acknowledge whether
a weak password was involved. The credit bureau said in a March 17 press
release that cybercriminals used an authorized client’s credentials to
access TransUnion data.

As first reported by the South African media company ITWeb, a Brazilian
group going by the name of N4ughtySecTU claimed to use the password
“password” to get into TransUnion’s system. The hackers told ITWeb they
accessed 54 million personal records and demanded $15 million in exchange
for a guarantee they would not publish the records.

TransUnion said “the incident impacted an isolated server holding limited
data from our South African business.” It said it believes the 54 million
records relate to a 2017 data incident “unrelated to TransUnion,” but the
company did not specify what incident or whether 54 million records were
leaked in the recent incident. It also said the extortion demand “will not
be paid.”

According to the virtual private network provider NordPass, “password” was
the fifth most common password in 2020.

TransUnion South Africa said that it suspended access from the compromised
client after discovering the incident, engaged cybersecurity and forensic
experts, and launched an investigation.

“As a precautionary measure, TransUnion South Africa took certain elements
of our services offline,” the company said on March 17. “These services
have resumed.”

TransUnion said the attack was not a ransomware attack, and it had “no
evidence to suggest this incident extends further than Africa.” It also
said hackers did not break into its servers directly but rather used a
client’s credentials to access TransUnion data.

MyBroadband, a South Africa-based IT news site, reported the hackers are
also extorting companies they claim are involved in the attack, asking for
what it called an “insurance fee.”

“We want it to be known that we will be reaching out to them and allow them
to verify the data we have,” the group told MyBroadband. “If TransUnion
does not pay the ransom amount by the deadline, those companies who paid
the insurance fee will be safe when we leak the data.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220322/abe332ae/attachment.html>