TORONTO — A cybersecurity breach at TransUnion has underscored the rising threat of third-party attacks and the difficulty of preventing them.
The credit monitoring agency confirmed this week that the personal data of 37,000 Canadians was compromised when someone illegally used a legitimate business customer’s login to access TransUnion data.
Daniel Tobok, CEO of Cytelligence Inc., said he’s seen a rise in these kinds of attacks that use trusted partners to gain access to data.
“The reasons criminals are really liking that is because it’s very difficult to detect. There is normal usage, as a partner leveraging services.”
In the case of TransUnion, someone fraudulently used login information from the leasing division of Canadian Western Bank to access credit information on tens of thousands of Canadians, something the bank could potentially do while conducting regular business.
The data at TransUnion was compromised between June 28 and July 11, but the incident wasn’t detected until August.
“Unfortunately, there isn’t a lot of alarms and bells that go off when this occurs,” said Tobok.
About a quarter of the cyberattacks that Cytelligence deals with are related to third-party attacks after a rise in the past year, he said.
Because these attacks are so difficult to detect, preventive measures such as two-step verification are critical, said Tobok. The measures are especially important when gaining access to sensitive data like personal credit information.
In a letter sent out to affected consumers, TransUnion said the compromised information could include a person’s name, date of birth, current and former address, information on credit and loan obligations, and credit repayment history. It said the data wouldn’t have included any account numbers, but would have shown a social insurance number if the number was used while accessing the file.
Neither CWB nor TransUnion immediately provided details on what kind of multi-step verification they have in place.
Tobok said it’s difficult for major institutions to verify all their partners, but it’s becoming increasingly important because of the difficulty of detection.
“The only way to do this for them, TransUnion, is to enforce tougher policies and procedures for their vendors.”
He said it was also important for companies to invest more in training staff, changing behaviour so they don’t click on malicious links or other security flaws. Too often companies invest in the hardware and neglect the human side of cybersecurity.
“Everyone spends money on firewalls and servers and a lot of blinking lights, and they feel really warm and fuzzy. Unfortunately that’s only part of the job.”
© 2019 The Canadian Press