Photo via: Pixabay
Photo via: Pixabay
N4aughtySecTU which claims to be responsible for hacking TransUnion has leaked a Cell C customer database and ANC member database as proof that they are responsible for the hack.
TransUnion South Africa which is one of the country’s largest credit bureau confirmed that a “criminal third party” gained access to one of its servers this past weekend.
N4aughtysecTU is reportedly demanding a $15 million ransom (R224m) from TransUnion for over four terabytes of data.
The group reportedly gave TransUnion seven days to pay the ransom in bitcoin.
TransUnion confirmed that they received an extortion demand and it will not be paid.
“Based on our investigation to date, we believe that the incident impacted an isolated server holding limited data from our South African business. We believe that the 54 million records relate to a 2017 data incident unrelated to TransUnion.”
The group which claims to be from Brazil has began leaking “samples” to prove that they are indeed in possession of data of over 54 million South Africans
The ANC database reportedly contains limited physical address information, while the Cell C dataset includes email addresses, some physical addresses, and bank account information.
The ANC database contains 1 211 447 records, and Cell C’s leaked contract subscriber database contains 1 809 497 records. However, according to the metadata of the leaked files, the ANC database is from 21 August 2017, while the Cell C database is dated 3 October 2010.
The group also said it also obtained a data base from the Department of Home Affairs. It also threatened to leak databases of major banks such as Capitec, Nedbank, Standard Bank and FNB.
In a TV interview, Advocate Collen Weapond from Information Regulator said TransUnion could end up being fined up to R10-million.
Weapond explained that TransUnion is supposed to comply with the eight conditions. He revealed that failing to do so could result in the Information Regulator investigating and giving out a fine of R10 million or up to 10 years in prison.
“Responsible parties including TransUnion are supposed to comply with those conditions. Failure which could result with the regulator investigating the security compromise which can result in a fine of up to R10-million or imprisonment of up to 10 years or compilation of both in terms of section 1/7 of the Protection of Personal Information Act.”