TransUnion disclosed that a cyber incident affected a third-party application used by its US consumer-support operations, exposing personal information for about 4.461 million individuals. The attack occurred on July 28 and was detected two days later, according to a filing with the Office of the Maine Attorney General.
A template letter to victims is also being issued by Maine authorities template letter.
The company said the breach did not involve its core credit database or credit reports, and that the exposed information was limited to specific data elements. Typical data elements include names, home and email addresses, and phone numbers; in some cases, passports, driver\’s licenses and national identity cards could be involved.
In a letter to consumers, TransUnion said: “TransUnion recently experienced a cyber incident that affected a third-party application serving our US consumer support operations. Upon discovery, we quickly contained the issue, which did not involve our core credit database or include credit reports. The incident involved unauthorized access to limited personal information for a very small percentage of US consumers. We are working with law enforcement and have engaged third party cybersecurity experts for an independent forensics review.”
As part of the response, the company will offer credit monitoring for 24 months via its myTrueIdentity Online service, and fraud assistance will come from Cyberscout, a TransUnion-owned company.