Following the cyberattack on credit bureau TransUnion, the South African Banking Risk Information Centre (Sabric) has said it is working with local banks to coordinated a response to the incident aimed at protecting consumers.

TransUnion revealed in a statement on Friday that a “third party” obtained access to one of its servers through the “misuse of an authorised client’s credentials”.

It confirmed, too, that it had received an extortion demand – with the attackers reportedly seeking US$15-million in payment. TransUnion, which has not confirmed the figure, said the attackers will not be paid.

ITWeb reported on Friday that the attackers, the Brazilian hacker group N4autysecTU, had stolen the personal records of 54 million South Africans in a breach involving 4TB of data. The personal information obtained could include names and ID numbers. However, a TransUnion spokeswoman said on Saturday that the company believes the 54 million records “relate to a 2017 data incident unrelated to TransUnion”.

Sabric CEO Nischal Mewalall said in a statement on Saturday that the organisation has engaged with TransUnion “with the aim to coordinate the banking industry’s efforts to secure bank customers’ profiles against abuse”.

“South African banks take the security of their customer data very seriously and have put in place robust risk mitigation strategies to detect potential fraud on accounts and protect customer personal information as the investigation unfolds,” Mewalall said.

“The compromise of personal information does not guarantee access to a customer’s banking profile or account, but criminals can use this information to impersonate people or trick them into disclosing their confidential banking details.”

Identity management practices

Sabric said bank customers should always follow “sound identity management practices to mitigate the risk of identity theft and fraudulent applications”. These include:

Not disclosing personal information such as passwords and Pins when asked to do so by anyone via telephone, fax or even e-mail;
Changing passwords regularly and never sharing them with anyone else;
Verifying all requests for personal information and only providing it when there is a legitimate reason to do so; and
Not using the information that may have been compromised. Rather use other personal information that you have not used previously to confirm your identity in future, Sabric said.