TransUnion South Africa breach (South Africa, 2022)
Threat actor N4ughtySecTU breached TransUnion South Africa using a client account secured with the password 'Password', then demanded a $15 million ransom. TransUnion confirmed millions of consumers' personal data were compromised.
- Victim
- TransUnion South Africa
In March 2022, TransUnion South Africa — one of the country's major credit bureaus — was breached by a group calling itself N4ughtySecTU, which then demanded a $15 million ransom. The attack became infamous for its absurdly simple entry point: a client account allegedly protected by the password "Password."
What happened
The attackers gained access using the stolen credentials of an authorised TransUnion client. According to the group, the compromised account was secured with the password "Password" — a trivially guessable credential on an account with access to bureau data. There was no need for a sophisticated exploit; basic credential abuse was enough.
N4ughtySecTU claimed to have exfiltrated 4 terabytes of data covering 54 million people and numerous businesses, and demanded $15 million to refrain from publishing it. TransUnion refused to pay. The company engaged external forensic specialists and emphasised that it found no evidence the incident extended beyond its South African business.
Impact
- TransUnion confirmed that personal information of consumers and businesses was compromised, including identity and contact details.
- The headline "54 million records" figure was disputed: TransUnion stated that a large portion of the criminals' claimed data was unrelated to it or derived from older, separate breaches, while confirming a smaller set of its own records was genuinely affected.
- The breach reinforced public alarm in South Africa, coming barely a year after the Experian disclosure and amid heightened POPIA enforcement attention.
Why it matters
The TransUnion South Africa case is a stark lesson in credential hygiene and third-party access. A national credit bureau — custodian of identity and credit data for tens of millions — was reportedly breached through a single account with a default-grade password and no effective multi-factor protection. It underscored two systemic risks: the concentration of sensitive population data in a handful of bureaus, and the danger of granting standing client access without enforcing strong authentication. Together with Experian, it cemented South African credit bureaus as repeat, high-value targets and accelerated regulatory pressure for stronger access controls.
Financial impact
Reported costs in USD
Timeline
Attackers access a TransUnion South Africa server using the stolen credentials of an authorised client whose password was reportedly 'Password'.
The group N4ughtySecTU claims to have stolen 4 terabytes of data covering 54 million people and demands a $15 million ransom.
TransUnion confirms a security incident, says it engaged external forensic experts, and refuses to pay the extortion demand.
TransUnion clarifies that some of the criminals' claimed records were unrelated to it, while confirming a smaller set of its own consumer and business data was compromised.
South Africa's Information Regulator engages TransUnion over the incident as part of POPIA oversight.
Sources
- dailymaverick.co.zahttps://www.dailymaverick.co.za/article/2022-03-19-transunion-union-data-breach-leaves-54-million-south-africans-exposed/
- cyberscoop.comhttps://cyberscoop.com/south-africa-transunion-data-breach/
- newsroom.transunion.co.zahttps://newsroom.transunion.co.za/update-south-africa-cyber-incident/
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/hackers-claim-to-breach-transunion-south-africa-with-password-password/
- securityweek.comhttps://www.securityweek.com/transunion-confirms-data-breach-south-africa-business/