Cyber Incident Victim: TransUnion
Date:
Mar 2022
Location:
South Africa
Summary
Hackers breached a TransUnion South Africa server using stolen credentials, brute-forcing an SFTP account with the weak password "Password," leading to the exfiltration of approximately 4TB of data affecting an estimated 54 million customers primarily in South Africa but including other African nations. The attackers, operating under the name N4ughtysecTU, demanded a $15 million Bitcoin ransom and threatened to extort clients directly with separate "insurance" payments to exclude their data from public release. The company refused payment, engaged cybersecurity and forensic experts, collaborated with law enforcement, and offered free identity protection services to impacted individuals. While asserting the breach was confined to South African operations, the incident exposed sensitive consumer data across multiple countries.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around March 15, 2022, unauthorized individuals breached a TransUnion South Africa server, leading to significant data exposure. The attackers, identifying as the Brazilian hacking group N4ughtysecTU, gained access by brute-forcing credentials on an SFTP server protected by the weak password "Password." This credential had been stolen prior to the attack. The threat actors claimed to exfiltrate approximately 4 terabytes of data containing records of 54 million individuals, primarily from South Africa but also including data from other unspecified African countries. They demanded a $15 million Bitcoin ransom from TransUnion, threatening to publish the stolen data if unpaid. Additionally, the group announced plans to extort TransUnion's clients directly by offering "insurance" payments—$1 million for large businesses and $100,000 for smaller ones—to exclude their data from public release.
TransUnion South Africa confirmed the breach in a public statement dated March 18, 2022, disclosing that the incident involved a single South Africa-based server compromised via stolen credentials. The company refused to pay the ransom and engaged cybersecurity experts, digital forensic investigators, law enforcement, and local regulators. While asserting the breach impacted only its South African operations—excluding Botswana, Kenya, Namibia, Rwanda, Swaziland, Zambia, and Malawi—the hackers contradicted this by alleging multinational data exposure. TransUnion initiated notifications to affected individuals and offered complimentary identity protection services. CEO Lee Naik emphasized the company’s commitment to data security and assistance for impacted parties. Independent cybersecurity analysts cautioned that paying ransoms does not guarantee data deletion, advising organizations to assume stolen information could resurface regardless of payment. The incident highlighted vulnerabilities stemming from weak credential practices, with forensic reports indicating the compromised password ranked among the most commonly used and easily brute-forced credentials globally in 2021.