TransUnion South Africa hacked; attackers say password was ‘password’

Hackers say a password set to “password” compromised a TransUnion South Africa server in a data leak they claim includes millions of personal records.

TransUnion confirmed the security incident but did not acknowledge whether a weak password was involved. The credit bureau said in a March 17 press release that cybercriminals used an authorized client’s credentials to access TransUnion data.

As first reported by the South African media company ITWeb, a Brazilian group going by the name of N4ughtySecTU claimed to use the password “password” to get into TransUnion’s system. The hackers told ITWeb they accessed 54 million personal records and demanded $15 million in exchange for a guarantee they would not publish the records.

TransUnion said “the incident impacted an isolated server holding limited data from our South African business.” It said it believes the 54 million records relate to a 2017 data incident “unrelated to TransUnion,” but the company did not specify what incident or whether 54 million records were leaked in the recent incident. It also said the extortion demand “will not be paid.”

According to the virtual private network provider NordPass, “password” was the fifth most common password in 2020.

TransUnion South Africa said that it suspended access from the compromised client after discovering the incident, engaged cybersecurity and forensic experts, and launched an investigation.

“As a precautionary measure, TransUnion South Africa took certain elements of our services offline,” the company said on March 17. “These services have resumed.”

TransUnion said the attack was not a ransomware attack, and it had “no evidence to suggest this incident extends further than Africa.” It also said hackers did not break into its servers directly but rather used a client’s credentials to access TransUnion data.

MyBroadband, a South Africa-based IT news site, reported the hackers are also extorting companies they claim are involved in the attack, asking for what it called an “insurance fee.”

“We want it to be known that we will be reaching out to them and allow them to verify the data we have,” the group told MyBroadband. “If TransUnion does not pay the ransom amount by the deadline, those companies who paid the insurance fee will be safe when we leak the data.”