Hackers demand $15 million ransom from TransUnion after cracking "password" password

International credit bureau TransUnion says that hackers managed to breach a server operated by its South African division, and gained access to the personal information of individuals.

According to an FAQ published by TransUnion South Africa, the cybercriminals gained access to the sensitive data by using the compromised credentials of one of the company's clients.

The firm says that the exposed data "may include personal information, such as telephone numbers, email addresses, identity numbers, physical addresses, and some credit scores."

As a precaution, TransUnion South Africa took some of its infrastructure offline temporarily while it investigated what had gone wrong.

A Brazilian hacking group calling itself N4aughtysecTU has claimed responsibility for the data breach, and has told the press that it stole 4TB of data, containing the records of 54 million customers.

Embarrassingly, the hackers claim that the account they compromised to gain access to data on TransUnion's server was protected with a password of "password".

N4aughtysecTU sent an extortion demand to TransUnion South Africa that requests R223 million (approximately US $15 million) in cryptocurrency in exchange for not releasing the stolen data.

The hackers have also threatened to access TransUnion's clients with financial demands.

TransUnion South Africa says it will not pay the ransom, and that it has brought in cybersecurity experts to assist in its response to the incident.

In addition, TransUnion has attempted to debunk N4aughtysecTU's claims that 54 million records have been exposed, claiming that those records relate to a 2017 data incident not involving TransUnion.

What TransUnion South Africa isn't saying is just how many individuals may be affected by the breach, or how much data the hackers may have accessed, beyond their generic claim that it believes "the incident impacted an isolated server holding limited data from [its] South African business."

For those victims who have had their data breached it is particularly galling.  They may have little reason to have ever heard of TransUnion South Africa, let done direct business with them. However, companies will have made use of TransUnion’s credit-checking services to determine if consumers should be approved for a loan or allowed to open an account.

TransUnion says it is offering individuals whose personal data may have been affected by the breach a free annual subscription to the TrueIdentity identity protection run by ... err... TransUnion.

Yes, TransUnion had your personal data without your knowledge or permission.  TransUnion suffered a data breach which resulted in that data ending up in the hands of hackers.  TransUnion says you can use its products to protect yourself from identity thieves.

Surely the best protection of all would have been if they hadn't been storing people's data with inadequate security in the first place.