TransUnion credential stuffing attack exposes Canadian users credit info

Tuesday 8 October 2019 11:00 CET | News

An unauthorised person was able to gain access to a TransUnion Canada web portal, via a credential stuffing attack, and use it to pull consumer credit files.

TransUnion Canada began sending out data security incident notifications via postal mail to consumers whose information was exposed, BleepingComputer has learned. TransUnion operates a portal through which business customers can retrieve consumer credit files for permitted purposes.

These notifications state that an unauthorised user obtained CWB National Leasings access code and password to the portal, which enabled the negative actor to view some of TransUnions credit file information between approximately June 28 and July 11, 2019.

Once the unauthorised user gained access to the TransUnion portal, they could perform credit searches using a consumers name, address, DOB, or Social Insurance Number (SIN).

If the correct information was entered, a credit file would be shown that contains the consumers name, date of birth, current and past addresses, and information related to the credit, such as loan obligations, amounts owed, and payment history. Actual account numbers, though, would not be included in the report.

While this is not a data breach in the sense that the hacker were able to gain access to the TransUnions full database, it is still concerning as they would have been able to query for a consumers credit file.

Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: TransUnion, Canada, stuffing attack, online security, fraud prevention, credit info
Countries: World

Industry Events