Hackers demand $60m from TransUnion and Experian, claiming data theft

Two of the country’s largest consumer credit reporting agencies, TransUnion and Experian, may have been hit by a fresh data hack, potentially exposing the financial and personal data of South Africans to risk. 

The hackers, the Brazil-based N4ughtySecTU Group, which has hacked TransUnion before, had again bypassed the organisation’s firewalls and security and managed to get away with the data. 

In their communication to TimesLIVE, the hackers shared journalist Sabelo Skiti’s name and identity number through his personal WhatsApp account. 

“The N4aughtySec Group is currently inside your and your clients’ infrastructure and will expose all data and system files in the next 24 hours should our ransom demands not be met in 24 hours,” the hackers told both organisations in their closed message.

“We demand $30m [about R565m] from TransUnion and $30m from Experian. Ensure your response teams contact us on Session [a private communication platform] for payment instructions,” they said in the message sent to senior managers and directors at both organisations.

“No further extensions will be granted … You were mistaken by not paying us the first time we harvested all your data and clients’ data. We have direct access to all your data and your clients’ data. We have direct access to all your and your clients’ infrastructure,” they added. 

TransUnion, through its PR company, confirmed the demand.

“TransUnion SA is aware of a financial demand from a threat actor asserting they have accessed TransUnion SA’s data. While we are continuing to monitor closely, we have found no evidence that our systems have been inappropriately accessed or that any data has been exfiltrated. We’ve likewise seen no change to our operations and systems in SA related in any way to this claim.

 “We treat matters regarding our information security seriously, and data security remains our top priority,” they said. 

The hackers have yet to provide evidence of a new hack or that new data has been taken.

An Experian spokesperson said: “We have investigated reports that Experian data in SA has been illegally obtained and have found these claims to be baseless. There is no evidence that our systems or data have been compromised in any way nor the systems or data of any of our clients. We take threats of this nature seriously and will continue to review our systems for security. Protecting our customers and data is our top priority.”

TransUnion and Experian collect credit information to provide to lenders such as insurers, banks and vehicle finance houses.

If true, claims of the attack would raise questions about whether the institutions are serious about curbing cyber intrusions, having suffered similar attacks before, said Karim Jaber, CEO at military-grade cyber security firm Scarybyte.

“If this is the second attack of its kind within a year, irrespective of whether it’s by the same group or new perpetrators, it poses a significant threat to SA. We must not forget that this concerns the data of SA citizens. The regulatory bodies must ensure that when companies claim to have implemented security upgrades or new measures, they are effective and not just nominal. This incident should serve as a serious warning about the handling of such sensitive data,” Jaber added.

In March 2022, the information regulator ordered that TransUnion publicise the details of the information hackers stole in newspapers and television advertisements in all of SA’s official languages. The regulator further said it was dissatisfied with the bureau’s response to the hack, Business Day reported.

In the last hack, the N4aughtySec hackers said they would leak consumers’ sensitive credit information and data if they were not paid a $15m [R218m] ransom. They claimed to have accessed and taken 28-million credit records, and 54-million identity numbers. 

TransUnion said it believed the 54-million number related to a 2017 hacking of an SA government website. They said at least 3- million consumers were affected by the hack and that they had started messaging and emailing those affected.

At the time, the Sunday Times reported that among those affected was President Cyril Ramaphosa, as his home address, identity and cellphone numbers were accessed illegally. The Sunday Times was also supplied with screenshots, by a different group of hackers called SpiderLog$, who had been running unauthorised vulnerability scans on government servers. These showed that government departments and state-owned companies are not safe and are “wide open” to intrusion.