TransUnion data breach affects 4.4 million

TransUnion publicly disclosed on Thursday that a cyber incident last month impacted more than 4.4 million people in the U.S.

The breach, discovered on July 30, stemmed from unauthorized access to a third-party application that occurred on July 28, TransUnion said in a filing with the Maine attorney general.

The company said the unauthorized access involved personal data stored on a third-party application and did not involve credit reporting data. However, the company did not specify what kind of data was involved.

A TransUnion spokesperson said the incident involved "limited personal information for a very small percentage of U.S. consumers."

The spokesperson also said the company "quickly contained the issue, which did not involve our core credit database or include credit reports."

State laws and federal regulators require any company that suffers a data breach to offer identity protection services to individual victims, often for one to two years.

In this case, TransUnion offered victims of the data breach 24 months of free credit monitoring through its own service, myTrueIdentity Online.

Potential link to attacks targeting Salesforce

TransUnion did not name the specific third-party application involved in the breach, but it did say the application provided "consumer support operations."

This matches the description of Salesforce, which has recently been the target of social engineering attacks that victimize Salesforce enterprise customers.

When asked about the TransUnion data breach and whether Salesforce was the third party involved in the incident, a spokesperson for Salesforce said the company would not comment on "specific customer issues" and linked to a blog post by the company about protecting against social engineering.

Google's Threat Intelligence Group said in a June analysis it was tracking a financially motivated threat actor, ShinyHunters, specializing in vishing campaigns.

Google said ShinyHunters had successfully breached networks — including Google's own — by having its operators impersonate IT support personnel in telephone-based social engineering calls.

This approach tricked employees, often in English-speaking branches of multinational corporations into actions that granted attackers access or led to the sharing of sensitive credentials, ultimately facilitating the theft of an organization's data, according to Google.

These attacks often targeted Salesforce systems, according to Google, but the cybersecurity researchers pointed out that the threat actor fools employees at the victim organizations rather than exploits any vulnerability in Salesforce software.

Salesforce emphasized this point in a status message about the ongoing social engineering campaigns, saying, "the Salesforce platform has not been compromised, and this issue is not due to any known vulnerability in our technology."

A common ShinyHunters tactic involved deceiving victims into authorizing a malicious connected application, often a modified version of Salesforce's data loader, to their organization's Salesforce portal. This inadvertently granted ShinyHunters significant capabilities to access, query and exfiltrate sensitive information.

Previous TransUnion incident allegedly involved weak password

In March 2022, a threat actor said a password set to "password" compromised a TransUnion South Africa server in a data leak they claimed included millions of personal records.

At the time, TransUnion confirmed the security incident but did not acknowledge whether the company had used a weak password. The credit bureau said in a press release that cybercriminals used an authorized client's credentials to access TransUnion data.