TORONTO — A cybersecurity breach at TransUnion has underscored the rising threat of third-party attacks and the difficulty of preventing them.
The credit monitoring agency confirmed this week that the personal data of 37,000 Canadians was compromised when someone illegally used a legitimate business customer’s login to access TransUnion data.
Daniel Tobok, CEO of Cytelligence Inc., said he’s seen a rise in these kinds of attacks in which criminals gain access to their target through the account of a trusted third party such as a customer or vendor.
“The reasons criminals are really liking that is because it’s very difficult to detect. There is normal usage, as a partner leveraging services.”
In the case of TransUnion, someone used the login credentials for the leasing division of Canadian Western Bank to access credit information on tens of thousands of Canadians, something the bank could potentially do while conducting regular business.
The data at TransUnion was compromised between June 28 and July 11, but the incident wasn’t detected until August.
“Unfortunately, there isn’t a lot of alarms and bells that go off when this occurs,” said Tobok.
About a quarter of the cyberattacks that Cytelligence deals with are related to third-party attacks after a rise in the past year, he said.
Because these attacks are so difficult to detect, preventive measures such as two-step verification are critical, said Tobok. The measures are especially important when gaining access to sensitive data like personal credit information.
In a letter sent out to affected consumers, TransUnion said the compromised information could include a person’s name, date of birth, current and former address, information on credit and loan obligations, and credit repayment history. It said the data wouldn’t have included any account numbers, but would have shown a social insurance number if the number was used while accessing the file.
Tobok said it’s difficult for major institutions to verify all their partners, but it’s becoming increasingly important because of the difficulty of detection.
“The only way to do this for them, TransUnion, is to enforce tougher policies and procedures for their vendors.”
TransUnion says in its latest corporate responsibility report that it has a third-party risk management program in place, which sets out guidelines that must be met by its partners on a range of risks including strategic, financial, and information security risk.
The company did not provide details on what kind of criteria it imposes on partners.
Tobok said it was also important for companies to invest more in training staff, changing behaviour so they don’t click on malicious links or other security flaws. Too often companies invest in the hardware and neglect the human side of cybersecurity.
“Everyone spends money on firewalls and servers and a lot of blinking lights, and they feel really warm and fuzzy. Unfortunately that’s only part of the job.”
The incident is the latest of numerous data breaches in recent years, including the Equifax breach in 2017 which exposed the information of 147 million people, including about 19,000 Canadians.
More recently, Capital One said in July that the data of six million Canadians was hacked, including about a million social insurance numbers. Desjardins said in June that the data of about 2.7 million accounts were hit with a breach.
This report by The Canadian Press was first published Oct. 10, 2019.
Ian Bickis, The Canadian Press