Threat Actor Claims Major TransUnion Data Breach

Written by

A notorious threat actor linked to previous big-name breaches has released several gigabytes of personal data stolen from credit agency TransUnion, researchers have claimed.

An individual who goes by the moniker “USDoD” posted a 3GB database containing the personally identifiable information (PII) of 58,505 individuals, according to Vx-underground.

Although there’s no information on whether those are customers or employees, given the size of the company, at least some of the PII taken would appear to be from customers.

“The database appears to be compromised March 2 2022. This leaked database has information on individuals all across the globe including the Americas (North and South), as well as Europe,” Vx-underground stated in a post on X (formerly Twitter).

Among the PII apparently taken are first and last names, internal TransUnion identifiers, passport information including place and date of birth, marital status, age, employer information, credit scores and loan information.

That’s a significant trove for phishing actors to use in follow-on fraud attacks against the victims.

Read more on BreachForums leaks: Halts All Operations After Massive Data Breach

A separate post on X by Emsisoft threat analyst Brett Callow shows that USDoD posted the dump on BreachForums, the same site they used to share personal information stolen from 3200 Airbus vendors last week.

As then, the actor claimed to be working with a ransomware group known as Ransomed.

USDoD has already hinted that more victims in the aerospace industry may soon be breached, including US defense contractors Lockheed Martin and Raytheon. Vx-underground also claimed the threat actor has compromised NATO.

Chad McDonald, CISO at Radiant Logic, argued that if the TransUnion breach is legitimate it should serve as a reminder to organizations to take proactive measures to prevent breaches.

“It’s easy for enterprises to struggle with their identity data, whether it’s identity silos, duplicates or anomalies – a lack of identity visibility and management can lead to inappropriate or outdated access to a business’s resources,” he added.

“By taking an identity-first security approach and consolidating identity data into a single, hardened data store, data breaches and leaks can be avoided from both outsider and insider threats.”

Interestingly, the date of the database compromise would seem to align with a ransomware incident at TransUnion’s South African business last year, when threat actors demanded a $15m ransom from the credit agency.

Update: TransUnion has released a statement claiming it has completed a thorough investigation and found that no data was exfiltrated from its systems. That raises the prospect of a supply chain breach.

“Through our investigation, we have found that multiple aspects of the messages – including the data, formatting, and fields – do not match the data content or formats at TransUnion, indicating that any such data came from a third party,” it said.

Editorial image credit: rafapress /

What’s hot on Infosecurity Magazine?