Unanswered questions in TransUnion Canada data breach

Two days after TransUnion Canada acknowledged cautioning 37,000 Canadians that their personal information may have been copied by a hacker, several unanswered questions remain.

The credit bureau said in a statement that someone got hold of login credentials used by Winnipeg-based CWB National Leasing, which does credit checks on customers wanting to rent a wide range of equipment, and used them to access the TransUnion Canada database over a two-week period.

Since then TransUnion hasn’t replied to some follow-up questions, nor has CWB replied to IT World Canada for comment.

It isn’t unusual for victim companies to say as little as possible after a data breach, but it also leaves a few questions unresolved:

• TransUnion says “consumer credit files may have been accessed without authorization through the fraudulent use of a legitimate customer’s login credentials (CWB).” If CWB was hacked by an outsider, how did that happen? Our guess is that one of the staff who had the ability to log into TransUnion Canada fell for a phishing scam;
• The TransUnion statement leaves open the possibility a CWB employee was the attacker. TransUnion has not replied by press time to a clarification query. Nor has CWB chief executive Michael Dubowec replied to a request for comment;
• Does TransUnion mandate the use of multifactor authentication in addition to the standard username and password for all business customers who accessed its databases? If not, what other practices did it have to prevent unapproved access?
• Why did it take so long for the breach to be discovered?
• Why wasn’t the exfiltration of thousands of files discovered?

Halifax-based privacy lawyer David Fraser noted in an interview on Tuesday that many questions raised immediately after a breach is discovered won’t be answered until internal investigations are finished.

“Your defence is only as strong as the weakest link,” noted Fraser, a member of the McInnes Cooper law firm. “Obviously there are some question marks about exactly what happened here, but there are vulnerabilities all over the place in any distributed access system.

“Certainly there are a large number of data breaches I’ve seen that probably could have been prevented by the use of two-factor authentication because phishing attacks are so common and people give out their usernames and passwords quite readily.

“For any system that holds sensitive information and relies on usernames and passwords, I think two-factor authentication has become table stakes. It’s what should be a minimum expectation. It’s not foolproof, but having it is better than not.”

He’s also seen the use of another technology deployed in the financial and health sectors, broadly called user behaviour analytics, which looks for unusual network behaviour of individuals. Fraser said he hopes this technology becomes more widespread.

Related Download
Sponsor: CanadianCIO


Cybersecurity Conversations with your Board – A Survival Guide
A SURVIVAL GUIDE BY CLAUDIO SILVESTRI, VICE-PRESIDENT AND CIO, NAV CANADA
Download Now

Comments are closed.