Windows 10 News and info | Forum
October 16, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
 
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
  Print  
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Credit Info Exposed in TransUnion Credential Stuffing Attack  (Read 37 times)
javajolt
Administrator
Hero Member
*****
Offline Offline

Gender: Male
United States United States

Posts: 30589


I Do Windows


WWW Email
« on: October 08, 2019, 03:18:54 AM »
ReplyReply



Using a credential stuffing attack, an unauthorized person was able to gain access to a TransUnion Canada web portal and use it to pull consumer credit files.

BleepingComputer has learned that starting last week TransUnion Canada began sending out data security incident notifications via postal mail to consumers whose information was exposed in a credential stuffing attack.


                                  TransUnion Data Security Incident Notification - Click to see full size

These notifications state that an unauthorized user utilized a TransUnion business portal to perform credit file lookups between June 28th and July 11th, 2019. The attacker was able to gain access to the portal using a TransUnion customer's account that was stolen in a credential stuffing attack.

Quote
"Trans Union of Canada, Inc ("TransUnion") is writing to let you know about a data security incident. Our customer, CWB National Leasing Inc.'s ("CWB National Leasing"), has advised us that their access code to TransUnion systems may have been misappropriated and used to access information about you without authorization. Upon becoming aware of the incident, TransUnion commenced an investigation.

By way of background, TransUnion operates a portal through which our business customers can retrieve consumer credit files for permitted purposes. An unidentified person illegal obtained CWB National Leasing's access code and password to the portal, which has permitted access to some of TransUnion's credit file information between approximately June 28 and July 11, 2019. TransUnion has confirmed that the login credentials were terminated."


Once the unauthorized user gained access to the TransUnion portal, they could perform credit searches using a consumer's name, address, DOB, or Social Insurance Number ("SIN).

If the correct information was entered, a credit file would be shown that contains the consumer's name, date of birth, current and past addresses, and information related to the credit, such as loan obligations, amounts owed, and payment history. Actual account numbers, though, would not be included in the report.

TransUnion issued the following statement to BleepingComputer in response to our questions:

Quote
“TransUnion Canada learned in August that some consumer credit files in Canada may have been accessed without authorization through the fraudulent use of a customer’s login credentials.  While the unauthorized access was not the result of a breach or failure of TransUnion’s systems or our customer’s systems, the protection of consumer information is our top priority, and we therefore proactively notified the population whose information may have been accessed.

TransUnion continues to look for ways to further strengthen our defenses against unauthorized access of any kind to TransUnion data. All organizations are at risk of criminal attacks and fraud, and we support our customers in their efforts to protect data by sharing best practices and implementing safeguards such as access controls, monitoring, and audits.”


While this is not a data breach in the sense that the hacker was able to gain access to the TransUnion's full database, it is still concerning as they would have been able to query for a consumer's credit file.

As the information exposed in this security incident could easily be used by the attacker for identity theft, it is strongly recommended that all affected users monitor their credit history for fraudulent activity or new unauthorized lines of credit.

Affected consumers should also take advantage of the two years of free credit and fraud monitoring services being offered by TransUnion as part of this security incident.

source
Logged


Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page October 11, 2019, 06:21:24 AM