Unanswered questions in TransUnion Canada data breach

Two days after TransUnion Canada acknowledged cautioning 37,000 Canadians that their personal information may have been copied by a hacker, several unanswered questions remain.

The credit bureau said in a statement that someone got hold of login credentials used by Winnipeg-based CWB National Leasing, which does credit checks on customers wanting to rent a wide range of equipment, and used them to access the TransUnion Canada database over a two-week period. Since then TransUnion hasn’t replied to some follow-up questions.

UPDATE: In an email statement Thursday a CWB spokesperson said “in August we learned that CWB’s National Leasing account was illegally used by an unauthorized third party to perform unauthorized credit checks through a credit reporting agency. No personal information held by CWB National Leasing was taken, disclosed or misused in any way. Investigations have shown no improper access to or failure of CWB National Leasing’s systems. CWB and our partner companies take information security matters, improving privacy considerations very seriously.”

It isn’t unusual for victim companies to say as little as possible after a data breach, but it also leaves a few questions unresolved:

  • TransUnion says “consumer credit files may have been accessed without authorization through the fraudulent use of a legitimate customer’s login credentials,” meaning CWB.  It isn’t known how that happened.  There are cases where credentials are stolen through phishing, but CWB says its systems were not accessed or compromised. It also says has been unable to determine how the login credentials were illegally acquired.
  • Does TransUnion mandate the use of multifactor authentication in addition to the standard username and password for all business customers who accessed its databases? If not, what other practices did it have to prevent unapproved access?
  • Why did it take so long for the breach to be discovered?
  • Why wasn’t the exfiltration of thousands of files discovered?

Halifax-based privacy lawyer David Fraser noted in an interview on Tuesday that many questions raised immediately after a breach is discovered won’t be answered until internal investigations are finished.

“Your defence is only as strong as the weakest link,” noted Fraser, a member of the McInnes Cooper law firm. “Obviously there are some question marks about exactly what happened here, but there are vulnerabilities all over the place in any distributed access system.

“Certainly there are a large number of data breaches I’ve seen that probably could have been prevented by the use of two-factor authentication because phishing attacks are so common and people give out their usernames and passwords quite readily.

“For any system that holds sensitive information and relies on usernames and passwords, I think two-factor authentication has become table stakes. It’s what should be a minimum expectation. It’s not foolproof, but having it is better than not.”

He’s also seen the use of another technology deployed in the financial and health sectors, broadly called user behaviour analytics, which looks for unusual network behaviour of individuals. Fraser said he hopes this technology becomes more widespread.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now