By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

Using a credential stuffing attack, an unauthorized person was able to gain access to a TransUnion Canada web portal and use it to pull consumer credit files. BleepingComputer has learned that starting last week TransUnion Canada began sending out data security incident notifications via postal mail to consumers whose information was exposed in a credential stuffing attack. These notifications state that an unauthorized user utilized a TransUnion business portal to perform credit file lookups between June 28th and July 11th, 2019. The attacker was able to gain access to the portal using a TransUnion customer's account that was stolen in a credential stuffing attack. Once the unauthorized user gained access to the TransUnion portal, they could perform credit searches using a consumer's name, address, DOB, or Social Insurance Number ("SIN). If the correct information was entered, a credit file would be shown that contains the consumer's name, date of birth, current and past addresses, and information related to the credit, such as loan obligations, amounts owed, and payment history. Actual account numbers, though, would not be included in the report. While this is not a data breach in the sense that the hacker was able to gain access to the TransUnion's full database, it is still concerning as they would have been able to query for a consumer's credit file. As the information exposed in this security incident could easily be used by the attacker for identity theft, it is strongly recommended that all affected users monitor their credit history for fraudulent activity or new unauthorized lines of credit. Learn more by visiting OUR FORUM.

 

Translate