A hacker was able to access financial information on 37,000 Canadians or businesses held by credit reporting agency TransUnion Canada for two weeks over the summer by going through one of the company’s business customers.
The news site Bleeping Computer said Monday it had learned that TransUnion Canada began mailing notification letters to affected customers, saying someone stole the access code of equipment leasing firm CWB National Leasing, and with it entered a TransUnion business portal to do credit file lookups between June 28th and July 11th.
The portal is used by business customers to get consumer credit files for permitted purposes. All the attacker needed to do once in the system was enter a person’s name, address, date of birth or Social Insurance Number. That would get a person’s credit-related information such as loan obligations, amounts owed, and payment history.
“TransUnion Canada learned in August that some consumer credit files in Canada may have been accessed without authorization through the fraudulent use of a legitimate customer’s login credentials,” David Blumberg, the company’s senior vice-president of public relations said in an email this morning. “While the unauthorized access was not the result of a breach or failure of TransUnion’s systems or our customer’s systems, the protection of consumer information is our top priority, and we therefore proactively notified the population whose information may have been accessed.
“TransUnion continues to look for ways to further strengthen our defenses against unauthorized access of any kind to TransUnion data. All organizations are at risk of criminal attacks and fraud, and we support our customers in their efforts to protect data by sharing best practices and implementing safeguards such as access controls, monitoring and audits.”
As required by recent law, the data breach has been reported to the federal privacy commissioner.
From an infosec pro’s point of view, this is a third-party supply chain hack. Supply chain hacks are frustrating to CISOs because they can get around an organization’s best defensive efforts. This is why security experts emphasize that not only do enterprises have to secure their networks and data, they must also ensure organizations who have the ability to connect to their systems are secure as well.
Arguably one of the most infamous third party data thefts — and one which raised the profile of this kind of attack — was the 2013 breach at retailer Target Stores, where the credit card information on some 41 million customers and personal information of some 70 million customers was copied. The attackers got into the Target system by stealing the login credentials of a heating/ventilation contractor which had access to the retailers’ network. In fact, a sensor gave an early alert but it was ignored by staff.
Among the more recent incidents, someone got into an update server run by computer maker Asus and planted malware aimed at 600 specific computer owners.
But the biggest — although possibly inadvertent — third party attack was the 2017 NotPetya destructive worm which spread around the world. It started with the infection of the update server for a Ukrainian tax software called MeDoc. The U.K. government believes Russia was behind the infection, suspecting the goal to harass people in a neighboring country it has been in conflict with. But the malware escaped across borders, infecting millions of computers around the world that hadn’t applied a recent Windows patch.
Letters from TransUnion Canada have been going to possibly affected Canadians since mid-September. TransUnion is providing two years of credit monitoring and $50,000 of identity theft insurance to victims.
TransUnion is one of the biggest credit reporting agencies in the world, holding over 1 billion consumer credit files. Over 75,000 business customers use its services to check the credit of customers.
(This story has been updated from the original to include the number of victims)