Two days after TransUnion Canada acknowledged cautioning 37,000 Canadians that their personal information may have been copied by a hacker, several unanswered questions remain.
The credit bureau said in a statement that someone got hold of login credentials used by Winnipeg-based CWB National Leasing, which does credit checks on customers wanting to rent a wide range of equipment, and used them to access the TransUnion Canada database over a two-week period. Since then TransUnion hasn’t replied to some follow-up questions.
UPDATE: In an email statement Thursday a CWB spokesperson said “in August we learned that CWB’s National Leasing account was illegally used by an unauthorized third party to perform unauthorized credit checks through a credit reporting agency. No personal information held by CWB National Leasing was taken, disclosed or misused in any way. Investigations have shown no improper access to or failure of CWB National Leasing’s systems. CWB and our partner companies take information security matters, improving privacy considerations very seriously.”
It isn’t unusual for victim companies to say as little as possible after a data breach, but it also leaves a few questions unresolved:
- TransUnion says “consumer credit files may have been accessed without authorization through the fraudulent use of a legitimate customer’s login credentials,” meaning CWB. It isn’t known how that happened. There are cases where credentials are stolen through phishing, but CWB says its systems were not accessed or compromised. It also says has been unable to determine how the login credentials were illegally acquired.
- Does TransUnion mandate the use of multifactor authentication in addition to the standard username and password for all business customers who accessed its databases? If not, what other practices did it have to prevent unapproved access?
- Why did it take so long for the breach to be discovered?
- Why wasn’t the exfiltration of thousands of files discovered?
Halifax-based privacy lawyer David Fraser noted in an interview on Tuesday that many questions raised immediately after a breach is discovered won’t be answered until internal investigations are finished.
“Your defence is only as strong as the weakest link,” noted Fraser, a member of the McInnes Cooper law firm. “Obviously there are some question marks about exactly what happened here, but there are vulnerabilities all over the place in any distributed access system.
“Certainly there are a large number of data breaches I’ve seen that probably could have been prevented by the use of two-factor authentication because phishing attacks are so common and people give out their usernames and passwords quite readily.
“For any system that holds sensitive information and relies on usernames and passwords, I think two-factor authentication has become table stakes. It’s what should be a minimum expectation. It’s not foolproof, but having it is better than not.”
He’s also seen the use of another technology deployed in the financial and health sectors, broadly called user behaviour analytics, which looks for unusual network behaviour of individuals. Fraser said he hopes this technology becomes more widespread.