TransUnion breach shows rising threat of third party cyberattacks

The credit monitoring agency confirmed this week that the personal data of 37,000 Canadians was compromised when someone illegally used a legitimate business customer’s login to access TransUnion data. (Pixabay photo)

TORONTO — A cybersecurity breach at TransUnion has underscored the rising threat of third-party attacks and the difficulty of preventing them.

The credit monitoring agency confirmed this week that the personal data of 37,000 Canadians was compromised when someone illegally used a legitimate business customer’s login to access TransUnion data.

Daniel Tobok, CEO of Cytelligence Inc., said he’s seen a rise in these kinds of attacks in which criminals gain access to their target through the account of a trusted third party such as a customer or vendor.

“The reasons criminals are really liking that is because it’s very difficult to detect. There is normal usage, as a partner leveraging services.”

In the case of TransUnion, someone used the login credentials for the leasing division of Canadian Western Bank to access credit information on tens of thousands of Canadians, something the bank could potentially do while conducting regular business.

The data at TransUnion was compromised between June 28 and July 11, but the incident wasn’t detected until August.

“Unfortunately, there isn’t a lot of alarms and bells that go off when this occurs,” said Tobok.

About a quarter of the cyberattacks that Cytelligence deals with are related to third-party attacks after a rise in the past year, he said.

Because these attacks are so difficult to detect, preventive measures such as two-step verification are critical, said Tobok. The measures are especially important when gaining access to sensitive data like personal credit information.

In a letter sent out to affected consumers, TransUnion said the compromised information could include a person’s name, date of birth, current and former address, information on credit and loan obligations, and credit repayment history. It said the data wouldn’t have included any account numbers, but would have shown a social insurance number if the number was used while accessing the file.

Tobok said it was also important for companies to invest more in training staff, changing behaviour so they don’t click on malicious links or other security flaws. Too often companies invest in the hardware and neglect the human side of cybersecurity.

“Everyone spends money on firewalls and servers and a lot of blinking lights, and they feel really warm and fuzzy. Unfortunately that’s only part of the job.”

Florian Kerschbaum, executive director of the Waterloo Cybersecurity and Privacy Institute, said that while cyberattacks of all kinds are seeing significant increases, he hasn’t seen many cases of third-party attacks by impersonating legitimate users.

Part of why they’re less common is because there are a number of generally good countermeasures that can be put in place, including multi-step verification and adaptive authentification that increases the difficulty of logging in depending on a variety of factors such as IP address, browser, and other indicators.

TransUnion said in a statement that the unauthorized access was “not the result of a breach or failure of TransUnion’s systems” but Kerschbaum questions whether the systems were properly thought through.

“They claim it is not a failure of the implementation of their security systems.

But it is more a failure of the design of their systems, that they don’t have these kinds of things in place.”

TransUnion says in its latest corporate responsibility report that it has a third-party risk management program in place, which sets out guidelines that must be met by its partners on a range of risks including strategic, financial, and information security risk.

The company did not respond to a request for more details on what kind of criteria it imposes on partners or security measures it has for accessing the data.

Kerschbaum said criminals are becoming increasingly sophisticated in their methods of fooling people, including attacks tailored to individual employees with specific information to fool them to release confidential information like passwords.

“As an attacker, you always attack the weakest link, and in a lot of cases unfortunately the weakest link is in front of the keyboard.”

Canadian Western Bank, parent company of the CWB National Leasing division whose login information was used in the attack, said it has been unable to determine how the login credentials were illegally acquired.

The incident is the latest of numerous data breaches in recent years, including the Equifax breach in 2017 which exposed the information of 147 million people, including about 19,000 Canadians.

More recently, Capital One said in July that the data of six million Canadians was hacked, including about a million social insurance numbers. Desjardins said in June that the data of about 2.7 million accounts were hit with a breach.

This report by The Canadian Press was first published Oct. 10, 2019.