This week, TransUnion confirmed a major cyber incident that exposed personal data of more than 4.4 million people.
The breach happened on 28 July, and was discovered two days later. Notification letters began reaching affected consumers on 26 August.
“We are writing to make you aware of a cyber incident involving unauthorized access to some of your personal data that was stored on a third-party application. Importantly, no credit information was accessed,” TransUnion’s letter says.
The compromised data reportedly includes names and other personal identifiers paired with unspecified sensitive information. Details on how the attackers gained access have not been released.
TransUnion is offering impacted consumers two years of free credit monitoring through its myTrueIdentity Online service.
The company has emphasized that credit files remain untouched and that no credit information was accessed during the incident.
The scale of the breach highlights the persistent threat facing even the largest consumer reporting agencies.
Targeting Supply Chains
Ted Miracco, CEO of Approov, says: “The TransUnion breach is another case of attackers increasingly targeting supply-chain APIs. Organizations must treat API access and mobile security as core strategic priorities.”
Ensuring rapid key revocation capability, secure secret management, and robust third-party vetting are critical defenses, he adds. “APIs are the leading target for cybercriminals as they present the largest attack surface, and traditional tools struggle to distinguish legitimate from malicious activity at the API level. This is especially true for mobile-specific APIs, which are often less secure than web-based APIs.”
Maintain Resilience
Lawrence Pingree, Technical Evangelist at Dispersive, says: “Any data breach of credit monitoring services is quite serious, especially breaches that involve tampering of any kind. So far, we’ve seen limited breaches that do that, so if there is something positive, it’s that at least it’s a typical style data breach.”
Unfortunately, Pingree says TransUnion and other reporting organizations (and all third parties interacting with them) need to maintain the utmost security posture and resilience in the face of exhaustive targeting, both due to the high profile they have and their dataset’s importance.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.