A cybersecurity breach at TransUnion Canada has underscored the rising threat of third-party attacks and the difficulty of preventing them.
TransUnion confirmed this week that the personal data of 37,000 Canadians was compromised when someone illegally used a legitimate business customer’s login to access TransUnion data. The data at TransUnion was compromised between June 28 and July 11, but the incident wasn’t detected until August.
Daniel Tobok, CEO of Cytelligence Inc., said he’s seen a rise in these kinds of attacks in which criminals gain access to their target through the account of a trusted third party such as a customer or vendor. “The reasons criminals are really liking that is because it’s very difficult to detect. There is normal usage, as a partner leveraging services.” In the case of TransUnion, someone used the login credentials for the leasing division of Canadian Western Bank to access credit information on tens of thousands of Canadians, something the bank could potentially do while conducting regular business. “Unfortunately, there isn’t a lot of alarms and bells that go off when this occurs,” said Tobok.
About a quarter of the cyberattacks that Cytelligence deals with are related to third-party attacks after a rise in the past year, he said. Because these attacks are so difficult to detect, preventive measures such as two-step verification are critical, said Tobok. The measures are especially important when gaining access to sensitive data like personal credit information.
In a letter sent out to affected consumers, TransUnion said the compromised information could include a person’s name, date of birth, current and former address, information on credit and loan obligations, and credit repayment history. It said the data wouldn’t have included any account numbers, but would have shown a social insurance number if the number was used while accessing the file.
Tobok said it was also important for companies to invest more in training staff, changing behaviour so they don’t click on malicious links or other security flaws. Too often companies invest in the hardware and neglect the human side of cybersecurity. “Everyone spends money on firewalls and servers and a lot of blinking lights, and they feel really warm and fuzzy. Unfortunately that’s only part of the job.”
TransUnion said in a statement that the unauthorized access was “not the result of a breach or failure of TransUnion’s systems”.
TransUnion says in its latest corporate responsibility report that it has a third-party risk management program in place, which sets out guidelines that must be met by its partners on a range of risks including strategic, financial, and information security risk.
Canadian Western Bank, parent company of the CWB National Leasing division whose login information was used in the attack, said it has been unable to determine how the login credentials were illegally acquired.