TransUnion breached

It seems the scope of the damage is unknown. I guess we will have to see if we get letters. https://appleinsider.com/articles/22/11 ... nformation

It will be interesting to learn the scope of the data breach, as well as why or how it occurred. I was not affected by the Equifax data breach that occurred years ago; that data breach was because of poor security.

"TransUnion Incident Response solutions offer immediate and comprehensive support to businesses as they navigate cyber security incidents. From post-incident analysis to personalized protection recommendations for your consumers, TransUnion has you covered with a variety of services, including" Protect and restore consumer confidence, quickly and effectively, with TransUnion's Incident Response solutions.

Credible wrote: ↑Sat Nov 12, 2022 11:05 am It will be interesting to learn the scope of the data breach, as well as why or how it occurred. I was not affected by the Equifax data breach that occurred years ago; that data breach was because of poor security.

In their self-report to the Massachusetts Attorney General, they mention driver's license numbers and financial account information, along with notifying the customers affected by email. Here's hoping this means it was only a breach of their own credit monitoring service that they sell for $29.95 (!) a month! That service would store that kind of data for identity protection services. myFICO even had a section where I could enter my health insurance card number for darkweb monitoring. It also had inputs for driver's license, multiple bank account numbers, all credit card numbers, etc.

As someone who used to have their TrueCredit service when it was $10 a month, I sure hope this doesn't affect me!

Whether or not your report is frozen wouldn't have any bearing on the ability to have the data breached would it?

BrutalBodyShots wrote: ↑Sat Nov 12, 2022 1:50 pm Whether or not your report is frozen wouldn't have any bearing on the ability to have the data breached would it?

It's highly unlikely having it frozen would help either of us. (I also have all 3 CRAs frozen. Ever since March 2020.) These hacks go after the data store itself - the actual database and admin tools. There's no border gateway to that like there is for outside lenders attempting a credit pull. The only thing that can stop it is what's called Encryption At Rest (EAR), where the database itself is encrypted with keys. If someone were to download the entire set of database storage files (very common), they wouldn't be able to read them. The reason that so many major companies don't use that is due to key management issues. The private key needs to be kept off the filesystem at all times, or someone could just take that and still read the encrypted files they just downloaded. The simplest, cheapest solution is to require the key passphrase to be entered manually on a database server reboot/restart/recovery/update. This isn't for the entire machine, just the software server running on that machine, so these minor in-place restarts can happen rather frequently, which annoys IT departments. So much so that they'd rather not bother to set it all up properly and just risk an Equifax-level breach. I'm aware of how ridiculous and crazy it sounds that more companies aren't using EAR by default. (The Equifax CEO testified under oath in front of Congress that they were not using EAR at the time of the breach.)

Great info above, thanks for passing it on!

Cassie wrote: ↑Sat Nov 12, 2022 11:38 am

Credible wrote: ↑Sat Nov 12, 2022 11:05 am It will be interesting to learn the scope of the data breach, as well as why or how it occurred. I was not affected by the Equifax data breach that occurred years ago; that data breach was because of poor security.

In their self-report to the Massachusetts Attorney General, they mention driver's license numbers and financial account information, along with notifying the customers affected by email. Here's hoping this means it was only a breach of their own credit monitoring service that they sell for $29.95 (!) a month! That service would store that kind of data for identity protection services. myFICO even had a section where I could enter my health insurance card number for darkweb monitoring. It also had inputs for driver's license, multiple bank account numbers, all credit card numbers, etc.

~Whether sound or not, this is why I don't use CMS for services I can and do receive from a more likely qualified source, especially considering the CMS/Bureau breaches. For all of my paid services I have so much missing information for the identify theft/dark web services. Not giving out any identifiers you don't already have and definitely not my bank account information to a CMS. Even when EX Boost came along, not sure I needed, but I was still on my mission to 850's and EX has been my punisher. As soon as I read what information I had to provide, decided, " Never mind".