News Insights: Credit Info Exposed in TransUnion Data Security Incident

Credit Info Exposed in TransUnion Data Security Incident

Credit Info Exposed in TransUnion Data Security Incident

Using a credential stuffing attack, an unauthorized person was able to gain access to a TransUnion Canada web portal and use it to pull consumer credit files.

Credit Info Exposed in TransUnion Data Security Incident


News Insights:

Laurence Pitt, global security strategy director at Juniper Networks:

“Whatever the cause of the attack, however, organizations need to be more careful of protecting data in all states – whether at rest or on the move. It should only have been possible to access this sensitive data remotely using a corporate device, and through a VPN client, to ensure that authentication and the records accessed could be logged. In addition the use of a CASB (Cloud Access Security Broker) could have ensured not only a secure connection, but also detected any anomalous data access by the user as they downloaded the records – then shut down the connection and raise a security alert.”


Satya Gupta, co-founder and CTO of Virsec:

“Given the high likelihood that many users will reuse passwords across multiple services, techniques like credential stuffing can easily provide access to thousands of user accounts. Compromising a credit reporting account can open up even more sensitive personal data that is quickly sold to other attackers. At a minimum end-users should immediately implement strong passwords and multi-factor authentication. But restoring the privacy of data that has already leaked is almost impossible.”


Adam Laub, CMO at STEALTHbits Technologies:

“Credential stuffing and other password guessing attacks have been so popular because they’re easy to execute and likely to work. Until users choose to or are forced to leverage unique username and password combinations across the different sites and services they leverage – or passwords are eradicated completely – these attacks will continue to be a headache. Users should consider leveraging password managers on their computers and mobile devices to eliminate the need to remember their passwords in the first place. Businesses should consider validating passwords against breach dictionaries to prevent users from putting their accounts at risk.”


Rod Simmons, vice president of product strategy at STEALTHbits Technologies:

“Even bad passwords can be improved by simply implementing two-factor authentication. We all would like to see better practices when it comes to creating secure passwords. The reality is we need a technology transformation. Any clever tricks we have to create memorable passwords are not cleaver and are comprised as part of the billions of previously compromised passwords. Start with a password manager and two-factor authentication whenever available.”