N4ugthysecTU, a supposed hacker group claiming to be based in Brazil, has claimed responsibility for the attack on TransUnion South Africa's server and demanded $15 million (R223 million) in Bitcoin to avoid the online leak of 4TB of data. The breach has further compromised The Department of Home Affairs database containing the identity information of 54 million South Africans.
In an attempt to extort and prove the authenticity of data, the group has publicly leaked a database of senior ANC and EFF politicians' names, physical addresses, I.D. numbers, cell phone numbers, and license plate numbers. There are 1,211,447 records in the ANC caucus database. The ANC database, according to the metadata of the leaked files, dates back to 21 August 2017.
To break through TransUnion's security safeguards, N4ugthySecTU used a brute force attack to guess login credentials.
This old attack technique works when organizations have poor password management controls. In the case of TransUnion, the word “password” was used as the password to access the South African server.
Poor password management by TransUnion
To break through TransUnion's security safeguards, N4ugthySecTU has said that they used a brute force assault.
The Information Regulator is presently looking into the source of the breach and whether TransUnion was negligent. For egregious negligence or contributory fault, the Regulator has the authority to levy fines and penalties on TransUnion.
The South African Banking Risk Information Centre (Sabric) expressed it was engaging with TransUnion to coordinate the banking industry’s efforts to secure customers’ profiles against abuse.
“South African banks take the security of their customer data very seriously and have put in place robust risk mitigation strategies to detect potential fraud on accounts and protect customers’ personal information, as the investigation unfolds,” Sabric said.
In light of the TransUnion data breach, iAfrikan.com urges all South Africans to be extremely vigilant when banking and transacting telephonically or online. Beware of calls or emails prompting you to confirm or correct your details.
— By Bataung Qhotsokoane