A hacker has posted a stolen database on the dark web alleging it contains sensitive data stolen from credit agency TransUnion. However, the company says there is no evidence of any compromise or data exfiltration, and argues that whatever data was taken – must have been stolen from a third party.
Going by the alias “USDoD”, the hacker published a 3GB database on BreachForums, a popular underground site where criminals exchange tools and information. This database, it was claimed, carried personally identifiable information (PII) on more than 58,000 people, at least some of whom appear to be TransUnion customers.
The data includes full names, internal TransUnion identifiers, passport information such as birth dates and places of birth, marital status, age, employer information, credit scores and loan information.
Third party compromised
Following the leak, and subsequent media coverage, TransUnion published a short statement claiming to be aware of “some limited online activity alleging that data obtained from multiple entities, including TransUnion, will be released”. This prompted the firm to run an investigation with third-party cybersecurity and forensic expects, which concluded that there is “no indication that TransUnion systems have been breached or that data has been exfiltrated from our environment.”
Furthermore, TransUnion says, the data, formatting, and fields, don’t match the content or formats it uses, “indicating that any such data came from a third party.”
While this might very well be a supply chain attack, Infosecurity Magazine also reminds that the date of the database compromise aligns with a ransomware incident at TransUnion’s South African business last year.
Back then, the hackers asked for $15 million in exchange for the decryption key, and not leaking sensitive data on the dark web.
Separate reports claim USDoD works with a ransomware group known as Ransomed, and that they’re responsible for the data leak from 3,200 Airbus vendors earlier this month.