Credit reporting giant TransUnion has confirmed a data breach that exposed the personal information of more than 4.4 million customers.
In a filing with Maine’s attorney general’s office on Thursday, the company attributed the incident — which took place on July 28 — to unauthorized access of a third-party application used for its U.S. consumer support operations. The compromised app contained customers’ personal data.
TransUnion insisted that “no credit information was accessed,” but offered no supporting evidence. The filing also did not clarify which types of personal data were initially exposed.
However, in a separate disclosure to Texas’ attorney general’s office later that day, TransUnion acknowledged that stolen information includes customers’ names, dates of birth, and Social Security numbers.
When contacted by TechCrunch, TransUnion spokesperson Jon Boughtin declined to answer questions about what additional personally identifiable information may have been compromised.
As one of the largest credit reporting agencies in the U.S., TransUnion holds the financial data of more than 260 million Americans. The breach makes it the latest major U.S. corporation to fall victim to cyberattacks, following recent incidents targeting the insurance, retail, and transportation and airline industries.
In recent weeks, several other companies have also disclosed breaches, including Google, Allianz Life, Cisco, and Workday. All reported that hackers accessed customer data stored in Salesforce-hosted cloud databases. Google attributed its breach to the cybercrime group ShinyHunters, which is known for extortion campaigns.
It remains unclear who was responsible for the TransUnion breach or whether the attackers made any demands.
Updated with TransUnion’s statement and additional details from the Texas state filing.
