Chicago-based TransUnion, one of the ‘big three’ consumer credit reporting agencies, has announced that a data breach has been experienced that has potentially allowed an unauthorized individual to gain access to the data of tens of thousands of Canadians.
The breach has not affected any consumers in the United States and is far more limited than the data breach the credit reporting agency Experian, which affected 147 million individuals, including 19,000 Canadians. TransUnion said the data breach was not due to a failure of its own security measures.
According to a statement issued by the company, a hacker obtained the login credentials of a division of Canadian Western Bank, CWB National Leasing. The Winnipeg firm conducts credit checks on customers looking to rent equipment.
The credentials were used by the attacker to access a TransUnion Canada database containing the information of approximately 37,000 Canadians over a two-week period between June and July 2019. CWB has issued a statement confirming that the credentials were used to perform unauthorized credit checks on consumers but stated that no personal information held by the bank was obtained, disclosed, or misused as a result of the breach. Similarly, CWB stated that the breach was not due to a failure of its security protections. It is currently unclear how the credentials were obtained. The investigation into the data breach is continuing.
The breach was identified by TransUnion in August and notification letters have been sent to all affected individuals. Neither TransUnion nor CWB has disclosed what types of information were obtained by the attacker, although TransUnion did issue a statement saying, “consumer credit files may have been accessed.”
By performing credit checks, the attacker would likely have been able to access information such as names, current addresses, former addresses, credit repayment histories, credit and loan obligations, and in some cases, social insurance numbers.