Using a credential stuffing attack, an unauthorized person was able to gain access to a TransUnion Canada web portal and use it to pull consumer credit files. BleepingComputer has learned that starting last week TransUnion Canada began sending out data security incident notifications via postal mail to consumers whose information was exposed in a credential stuffing attack.
TransUnion Data Security Incident Notification (Click to see full size) These notifications state that an unauthorized user utilized a TransUnion business portal to perform credit file lookups between June 28th and July 11th, 2019. The attacker was able to gain access to the portal using a TransUnion customer's account that was stolen in a credential stuffing attack.
"Trans Union of Canada, Inc ("TransUnion") is writing to let you know about a data security incident. Our customer, CWB National Leasing Inc.'s ("CWB National Leasing"), has advised us that their access code to TransUnion systems may have been misappropriated and used to access information about you without authorization. Upon becoming aware of the incident, TransUnion commenced an investigation. By way of background, TransUnion operates a portal through which our business customers can retrieve consumer credit files for permitted purposes. An unidentified person illegal obtained CWB National Leasing's access code and password to the portal, which has permitted access to some of TransUnion's credit file information between approximately June 28 and July 11, 2019. TransUnion has confirmed that the login credentials were terminated."
Once the unauthorized user gained access to the TransUnion portal, they could perform credit searches using a consumer's name, address, DOB, or Social Insurance Number ("SIN).
If the correct information was entered, a credit file would be shown that contains the consumer's name, date of birth, current and past addresses, and information related to the credit, such as loan obligations, amounts owed, and payment history. Actual account numbers, though, would not be included in the report.
TransUnion issued the following statement to BleepingComputer in response to our questions:
“TransUnion Canada learned in August that some consumer credit files in Canada may have been accessed without authorization through the fraudulent use of a customer’s login credentials. While the unauthorized access was not the result of a breach or failure of TransUnion’s systems or our customer’s systems, the protection of consumer information is our top priority, and we therefore proactively notified the population whose information may have been accessed.
TransUnion continues to look for ways to further strengthen our defenses against unauthorized access of any kind to TransUnion data. All organizations are at risk of criminal attacks and fraud, and we support our customers in their efforts to protect data by sharing best practices and implementing safeguards such as access controls, monitoring and audits.”
While this is not a data breach in the sense that the hacker were able to gain access to the TransUnion's full database, it is still concerning as they would have been able to query for a consumer's credit file.
As the information exposed in this security incident could easily be used by the attacker for identity theft, it is strongly recommended that all affected users monitor their credit history for fraudulent activity or new unauthorized lines of credit.
Affected consumers should also take advantage of the two years of free credit and fraud monitoring services being offered by TransUnion as part of this security incident.