Recently, TransUnion disclosed it had suffered a data breach this summer, when a third-party client’s credentials were stolen. The personal data of 37,000 Canadians was compromised. TransUnion sent out a letter to affected customers letting them know that, “the compromised information could include a person's name, date of birth, current and former address, information on credit and loan obligations, and credit repayment history. It said the data wouldn't have included any account numbers, but would have shown a social insurance number if the number was used while accessing the file.”
The fraudulent access to the account occurred between June and July of this year. Because the data was accessed by a legitimate account, TransUnion wasn’t aware of the breach until August. The third party was identified as CWB National Leasing. As said by company spokesperson Maya Filipovic, "In August, we learned that CWB National Leasing's account was illegally used by an unauthorized third party to perform unauthorized credit checks." Canadian Western Bank, parent company of the CWB National Leasing, said it has been unable to determine how the login credentials were illegally acquired.
Daniel Tobok, CEO of Cytelligence Inc., said in a interview with BNN Bloomberg, he's seen a rise in these kinds of attacks where criminals gain access to their target through the account of a trusted third party, such as a customer or vendor. Tobok say, “The reasons criminals are really liking that is because it's very difficult to detect. There is normal usage, as a partner leveraging services.” Which is why it took TransUnion nearly two months to discover the breach. Tobok recommends preventive measures such as two-step verification because these types of attacks are difficult to detect. Especially when gaining access to sensitive data like personal credit information.
Tobok also recommends more staff training, in an effort to change behaviour so they don't click on malicious links or other security flaws. Too often companies invest in the hardware and neglect the human side of cybersecurity. As seems to be the case with TransUnion, technical security features were put in place, but a stolen password was all it took. Contrast this with Equifax, who were recently roasted in the papers for their lax security measures.
So, what should companies do to make sure this doesn’t happen to them? It seems that better staff training around phishing could have been helpful, in addition to adding multi-factor authentication for those cases where a password is stolen. In addition, Dark web monitoring for company credentials could have also been useful if it was noticed that the credential had been stolen and was up for sale on the dark web. Ensuring your third-party customers and partners are also employing strong security measures, and limiting their access to only what they need to know will also help prevent a scenario such as this one.