TransUnion publicly disclosed on Thursday {that a} cyber incident final month impacted greater than 4.4 million folks within the U.S.
The breach, found on July 30, stemmed from unauthorized entry to a third-party software that occurred on July 28, TransUnion stated in a submitting with the Maine Attorney General.
The firm stated the unauthorized entry concerned private data saved on a third-party software and didn’t contain credit score reporting data. However, the corporate didn’t specify what sort of data was concerned.
A TransUnion spokesperson stated the incident concerned “restricted private info for a really small share of U.S. customers.”
The spokesperson additionally stated the corporate “shortly contained the problem, which didn’t contain our core credit score database or embrace credit score reviews.”
State legal guidelines and federal regulators require any firm that suffers a data breach provides identification safety providers to particular person victims, typically for one to 2 years.
In this case, TransUnion supplied victims of the data breach 24 months of free credit score monitoring via its personal service, myTrueIdentity Online.
Potential hyperlink to assaults focusing on Salesforce
TransUnion didn’t title the particular third-party software concerned within the breach, but it surely did say the applying supplied “client help operations.”
This matches the outline of Salesforce, which has not too long ago been the goal of social engineering assaults that victimize Salesforce enterprise prospects.
When requested concerning the TransUnion data breach and whether or not Salesforce was the third occasion concerned within the incident, a spokesperson for Salesforce stated the corporate wouldn’t touch upon “particular buyer points” and linked to a weblog put up by the corporate about defending towards social engineering.
Google’s Threat Intelligence Group stated in a June evaluation it was monitoring a financially motivated risk actor, ShinyHunters, specializing in vishing campaigns.
Google stated ShinyHunters had efficiently breached networks — together with Google’s personal — by having its operators impersonate IT help personnel in telephone-based social engineering calls.
This method tricked workers, typically in English-speaking branches of multinational firms into actions that granted attackers entry or led to the sharing of delicate credentials, in the end facilitating the theft of a company’s data, in response to Google..
These assaults typically focused Salesforce programs, in response to Google, however the cybersecurity researchers identified that the risk actor fools workers on the sufferer organizations slightly than exploit any vulnerability in Salesforce software program.
Salesforce emphasised this level in a standing message concerning the ongoing social engineering campaigns, saying, “the Salesforce platform has not been compromised, and this problem shouldn’t be because of any identified vulnerability in our know-how.”
A standard ShinyHunters tactic concerned deceiving victims into authorizing a malicious linked software, typically a modified model of Salesforce’s data loader, to their group’s Salesforce portal. This inadvertently granted ShinyHunters vital capabilities to entry, question and exfiltrate delicate info.
Previous TransUnion incident allegedly concerned weak password
In March 2022, a risk actor stated a password set to “password” compromised a TransUnion South Africa server in a data leak they claimed included hundreds of thousands of non-public data.
At the time, TransUnion confirmed the safety incident however didn’t acknowledge whether or not the corporate had used a weak password. The credit score bureau stated in a press launch that cybercriminals used a certified consumer’s credentials to entry TransUnion data.
