TransUnion Says Hackers Stole 4.4 Million Customers' Personal Information

An anonymous reader quotes a report from TechCrunch: Credit reporting giant TransUnion has disclosed a data breach affecting more than 4.4 million customers' personal information. In a filing with Maine's attorney general's office on Thursday, TransUnion attributed the July 28 breach to unauthorized access of a third-party application storing customers' personal data for its U.S. consumer support operations.

TransUnion claimed "no credit information was accessed," but provided no immediate evidence for its claim. The data breach notice did not specify what specific types of personal data were stolen. In a separate data breach disclosure filed later on Thursday with Texas' attorney general's office, TransUnion confirmed that the stolen personal information includes customers' names, dates of birth, and Social Security numbers. [...] It's not clear who is behind the breach at TransUnion, or if the hackers made any demands to the company.

Customers

[bugs2squash]

Are these "customers" people who voluntarily gave their info to transunion or people who became "customers" by some other route ?

Re: Customers

[dbialac]

Why does this stuff even matter anymore? Everyone's information is out there already, especially after the credit company hack (Equifax as I recall). A new breakin is mostly retrieving information that is already out there.

Re:

[ObliviousGnat]

Why does this stuff even matter anymore? Everyone's information is out there already, especially after the credit company hack (Equifax as I recall).

Because not everyone who has credit today had credit back then. It's important to fix this recurring problem today for the benefit of future generations. "A society grows great when old men plant trees whose shade they know they shall never sit in." (Greek proverb)

Re:

[codebase7]

Unfortunately, most USians hold the maxim of "A man is great when he swings his sword with impunity, a nation is great when it's sword is wielded by a great man." As a result, they cannot fathom doing anything that requires sacrifice for the sake of others.

Re:

[2TecTom]

and being feed to some local LLM

Re:

[Sebby]

Are these "customers" people who voluntarily gave their info to transunion or people who became "customers" by some other route ?

I get that 99.999999% are not "customers" of theirs [slashdot.org] at all - purely victims of their monopoly power.

*bet, not 'get'

[Sebby]

I bet, not 'get'

Re:

[Powercntrl]

I get that 99.999999% are not "customers" of theirs [slashdot.org] at all - purely victims of their monopoly power.

Monopoly? There's also Equifax and Experian. If anything, credit bureaus make the lending industry more competitive by centralizing the risk management aspect at in independent third party. Without them, you'd end up with a cartel of banks that shared risk information between members and any new competition would be locked out.

Re:

[Sebby]

Monopoly? There's also Equifax and Experian.

LoL! Sweet, naive innocent child!

Re:

[Powercntrl]

LoL! Sweet, naive innocent child!

If it really bothers you, start a grassroots movement to have a law passed to require them to delete your data upon request. No credit is effectively just as bad as bad credit, so if that's what you really want, have at it.

Re:

[Powercntrl]

you in fact don't have any choice (or control) over which of those assholes gets your data.

Again, this could be entirely addressed with an opt-out law. If you want your history to be blank at the bureaus you'd rather not have an association with, they should allow that option. However, lenders would still be free to interpret that as "what is this person trying to hide?" and consider you a higher risk. And if you cleared all your data on all three, that'd be like marking your feedback as private on eBay. No lender would want to touch you.

Most people actually want good credit, because that mea

Re:

[Powercntrl]

Most people see competition as being able to get the lowest APR loan on a brand new car, and the credit bureaus make that kind of shopping around for a better loan possible. The "choice" of not being subject to data collection though, comes down to not doing business with creditors that report to the credit bureaus. If you're not happy with that, again, call or write your elected representatives and make democracy work for you. Bitching at me that the bureaus are not regulated to a level of your satisfac

Re: You're the moron

[reanjr]

It's not your data. It's the credit agency's data. You don't have a right to have others delete data about you. If I take a photo of you, you cant make me delete it

Re: reanjr is a stalker

[ArmoredDragon]

Dude...you're the one who posed for him...

Re:

[Powercntrl]

Okay, your wish has been hypothetically granted - you have a magic button that lets you delete all your information from the credit bureaus. Now, try getting a loan or line of credit and see what happens.

Re: Customers

[reanjr]

Can't get a loan? That's a positive for most people. Most people should never have taken the loans they have and getting cut off is the best thing for them.

Re:

[sjames]

On the other hand, if they had NOBODY's information, it might really level the playing field.

But the problem I have with them is the way they mash information together with little to no concern for it's accuracy.

Re:

[2TecTom]

They co-operate and are owned by the same people. Think oligarchy and corporatocracy. From one perspective, the entire 'credit score' industry is basically centralized economic surveillance, no one gets credit unless they agree to being financially surveilled and classified. This is exactly what classism looks like.

Re:

[Powercntrl]

no one gets credit unless they agree to being financially surveilled and classified.

Which is exactly the same thing banks would do on an individual level without some sort of centralized risk repositories. You want to see what credit looks like without credit checks? Those businesses do exist, but you'd likely want nothing to do with them because they're even scummier than the major banks that pull your credit.

Re:

[2TecTom]

hardly, I deal a small credit union that knows what I have and provides me with credit based on my history with them

Re: Customers

[reanjr]

If the whole dataset is 4.4M, that suggests it's more direct customers, rather than third party reporting. I'm guessing TransUnion has third party data on most Americans who have ever used credit, so that would be way more than 4.4M.

It's probably closer to the number of people who sign up for credit reports.

Re:

[Tony Isaac]

Might be, in the sense that many people like me, have created an account specifically to freeze our credit, in order to lock out scammers from creating accounts by getting credit scores without our authorization.

Re:

[sjames]

New corporate speak. Customer = stalking victim.

People are idiots

[wakeboarder]

Protect data... but not a big deal since every Americans info has been stolen several times from several companies because they are idiots.

Re:

[Tony Isaac]

From the summary, this appears to have been a deliberate act by an employee, who used unauthorized software. It's not clear that the company itself, or its security policies or regimens, are actually at fault here.

We need a building code

[peterww]

The safety of a normal building is ensured in part because we require by law that it follow a building code, and that it be inspected, with fines if they don't fix it. Otherwise buildings would be built cheaply and shitty and falling down on us all the time.

We need a building code for the technology that critical companies (like the credit bureaus) use. Otherwise they will just keep having shit security and we will all be hacked constantly forever.

Re:

[Chris Mattern]

Yep. And once upon a time, before building codes, buildings used to be built that way. Building codes took centuries (millennia!) to develop. It was not immediately obvious what needed to go into them, and the politics of the whole matter complicated things further. Computer system codes will likely take the same, at least, since computer systems are not as simple as buildings.

Re:

[LodCrappo]

isn't that basically what PCI, HIPAA and such were supposed to be?

Re:

[CubicleZombie]

Buildings are all generally the same and are built according to plans that are formalized in advance. Every piece of software is unique and evolves.

Builder: How many floors do you want in your building?
Customer: We're not really sure. Start with two, and we'll see how many more we need after we start moving in.

Years later, a 50 story building collapses because it's made of wood.

Re:

[Fly Swatter]

Building codes exist for two reasons:

insurance companies got tired of the expense of covering death traps.

those buying a house don't want to buy a death trap - or more specifically the banks making the big loans to buy a house didn't want to be stuck losing everything when that death trap falls apart or goes up in flames killing the 'owner' leaving the bank with nothing but land with a junk pile.

Sure, codes indirectly protect your life - but make no mistake they exist primarily so that your debt ca

Re: We need a building code

[reanjr]

You don't need codes. You need liability and insurance.

Say - for example - a builder wants build a 4 bedroom $1M house. They might have to attach a bond to that build before sale that would cover $1M for the house replacement, $250k for restoration/cleanup of the property in case of total loss, $1M for each bedroom in life insurance, and $250k for property inside, totalling a $5.5M insurance policy on the build.

That bond would stay with the house for 30 years, after which the bond and any interest accrued g

Lack of information....

[FrankSchwab]

I'm a fan of liability.

The media industry had a fine law passed (https://www.law.cornell.edu/uscode/text/17/504 [cornell.edu] that set minimum statutory damages at $750 to $30,000 per copyright violation. It could, of course, be more.

I think that the same law should be written for personal information - statutory damages of $1000 to $10,000 per event, set by the type of personal information leaked. You leak my name and email address? You pay me $1000. You leak my name, credit card numbers and CVNs, you pay me $5000.

Re: Lack of information....

[reanjr]

Liability is so much better than regulation.

In my utopian society, corporations would actually be treated like people. And when those people commit crimes, they would go to prison. If no one can figure out who at the company is directly responsible, the whole C-suite and board have to serve time.

Re:

[tendrousbeastie]

It gets tricky though. Who is liable?

Say I write some software, and sell it to other company. It is complicated software, and requires expertise to operate it in a secure manner. Comapny A buys my software, and uses it fine (they have behaved responsibly - proper testing, risk-assessments, etc.). Company B also uses my software, and has a data leak using it (they are slap-dash - no testing, no third party testing, etc.).

Am I liable here? Company A's situation suggests that my software is fine when properly

Re:

[codebase7]

Except the insurance is just a means to escape or reduce liability, while also creating middlemen who's sole job is to encourage gambling by those liable.

I.e. Cost of liability is X million, but with insurance that drops to Y million.
If X > Y then the company will probably avoid the violation.
If X < = Y then the company will probably consider it a cost of doing business, especially if their premiums don't go up in response. Or they can find some other way to offset the cost. (Pass it along to cons

Re:

[Tony Isaac]

We have them, standards like SOC2, PCI, etc.

The problem is, like building codes themselves, these standards can easily be circumvented.

When I was in college, my university built a new auditorium. For aesthetic reasons, they wanted the railings to be lower than was allowed by building codes in effect. So they waited for the inspectors to sign off on the building codes, then lowered the railings to where they wanted them.

Software isn't much different. Processes and codes are complex and subject to interpretat

Re:

[Woeful Countenance]

Many large organizations have periodic audits for this reason, to catch problems that develop over time. Both internal audits and audits by regulatory agencies.

Re:

[Tony Isaac]

I know this well. I've personally headed up SOC2 and HIPAA audits. In every company where I've worked, the audits only cover specific software that the company builds, and excludes other "legacy" software that the company intends to retire one day. But they never get around to retiring that legacy software, leaving themselves exposed, and effectively lying to their customers about their certification. Further, those auditors often have no clue what they are doing. They ask questions from a script, writing d

We Have No Choice

[don_e_b]

It's not like anyone chooses Transunion, or Equifax. They have your stuff whether you like it or not. They are massive targets for state-sponsored hacks and they just don't seem to know how to keep what is literally the most important and sensitive data about you safe. But what are you gonna do? Switch to some other agency?

Re:

[Tony Isaac]

Some of us choose to create accounts, specifically to lock down our credit reports, since there is no other way to do this.

MAGAs:

[Tablizer]

"See, toldja ya can't trust those trans-genders!"

Re:

[Pascoea]

MAGAs

Found one! Do us all a favor and fuck off already?

Re:

[Tablizer]

You MAGAs bully and belittle them and then act surprised when they snap.

Re:

[Tablizer]

Maybe they were bullied when younger and thus associated their problems with youth. Snapped people don't act rationally by definition.

Re:

[Tablizer]

It gives HateJelicals a talking point for their simple-minded echo chambers.

Re: MAGAs:

[ArmoredDragon]

Would you prefer an axe?

https://www.news.com.au/nation... [news.com.au]

Oh, the irony ...

[CaptainDork]

TransUnion sells identity protection services that monitor for exposure of exactly the same kinds of data (name, DOB, SSN) that were themselves stolen in the breach. In other words:

What they promise to watch for unauthorized exposure of your personal identifiers.

What hackers actually took from them those same identifiers.

That’s a bit like a lock company being robbed of its own keys.

It highlights a fundamental problem: once those “static” identifiers (SSN, DOB, etc.) are stolen, they can’t really be changed. Unlike a password, you can’t just “reset” your Social Security number.

That’s why breaches at credit bureaus are particularly concerning — they’re custodians of the most sensitive personal data, and when they get breached, the damage is both widespread and long-lasting.

Re:

[Tony Isaac]

Don't worry, if your info was part of this breach, and you paid for their identity protection, they'll send you a nice email saying that your data has been breached. Isn't that worth the money you paid for your subscription?

Re:

[ambrandt12]

Only if you're a subscriber :-)

They should put up a page on their site where you can check if your information was in the breach, and if it was, give you, free, more than a year of monitoring (like 5+ years).
It shouldn't be too difficult to find who it was that did the "unauthorized access of a third-party application storing customers' personal data"... why is the information stored by a third party? It should be stored on a rack of servers in the broom closet, behind like three firewalls on battery backu

This is just dreadful!

[fuzzyfuzzyfungus]

This seems like the least of our problems when the difference between this incident and TransUnion's entire business model is that they didn't get paid to provide the records this time.

Alternate title:

[Sebby]

TransUnion Says Hackers Stole 4.4 Million Customers' Personal Information

"Privacy Rapists That Deal in Customers' Personal Information Leak 4.4 Million Customers' Personal Information"

There FTFY.

Ugh

[Prod_Deity]

Life was better for everyone before credit scores were a thing.

Re:

[Tony Isaac]

Was it?

Before credit scores, it was much harder to get loans, including mortgages. Credit cards weren't a thing (for better or worse). Underwriting processes took much longer. Credit was granted or denied based on whatever whims the lender thought were important, whether they were fair or not. With credit scores, many more people can get funding, than could before credit scores, and the decision making for lenders is much more transparent and data-driven.

Re:

[codebase7]

Except that data-driven narrative falls apart when the data points are stolen and used to manipulate the lenders based on the "credit" of others.

Those loans are also a lot more exploitative of the person taking them out. (More info for the lender to use during negotiations that isn't easily countered by some random individual.) In some cases allowing the lender to overleverage them.

Credit cards in this case being actual credit not the debit cards (+ often compulsory overdraft "protection" and associated

Re:

[Tony Isaac]

The fact that theft is possible, doesn't negate the value of credit scores. Before credit scores, theft of cash was possible too, and happened very frequently.

The fact that some people misuse credit or do business with predatory lenders, also doesn't negate the value of credit. You are essentially arguing that the availability of CREDIT is a bad thing, not the credit scores themselves. Credit, like money itself, can be misused. But the availability of credit greases the wheels of the economy and of personal

Will they offer 1yr of free credit monitoring?

[Vandil X]

Transunion is a bureau that also offers credit monitoring when your info is leaked in a breach. I wonder if this leak affects those using the monitoring services, effective being leaked twice.

I also wonder if they will ironically offer those affected by the break a free year of credit monitoring through Transunion.