Data breach at TransUnion impacts 4.4 million people

Nearly 4.5 million people were affected by a data breach at the credit reporting giant TransUnion, the company informed regulators this week.

According to a sample letter notifying victims of the breach, a cyber incident “involving a third-party application” used for customer support resulted in unauthorized access to “limited” personal information. No credit information was accessed, the company said.

The incident began on July 28 and was discovered two days later, TransUnion told the Maine attorney general. A separate filing in Texas shows that Social Security numbers were among the leaked information. 

The breach is the latest to target companies that hold huge amounts of data on people around the world. The insurance companies Allianz Life and Farmers Insurance were both recent victims of third-party breaches that are reportedly linked to social engineering attacks on Salesforce.   

The Google-owned firm Mandiant issued an advisory about the Salesforce attacks earlier this week, calling it a “widespread data theft campaign” and attributing it to the threat actor UNC6395. The hackers targeted OAuth tokens associated with the Salesloft Drift third-party application, Mandiant said.  

TransUnion did not say which third-party vendor was impacted, and did not respond to a request for comment. The company claims to have a database of credit histories on more than 260 million Americans.