TransUnion data breaches, GDPR, CCPA, BIPA, and Ramirez

TransUnion LLC, one of the three major credit reporting companies in the United States, also has branches in every continent but Antartica. It is said that just in the U.S. the personal information and credit histories of some 200 million consumers is stored in their servers; I have not been able to find veritable information regarding consumers located outside the US.

Some of you may remember that TransUnion recently suffered a data breach (I will be using the GDPR definition of personal data breach which is "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed").

"How recently," comes the voice from the back of the room, "which one are you talking about?"

Good question; it is hard to keep track of them. Let's go over a few of them and later see what we can learn from them.

The Events

1. In 2005 -- a long time ago (in dog years) -- TransUnion lost a laptop containing personal data from more than 3600 US consumers. The Chicago-based company offered up to one year of free credit reports to the affected customers. At the time -- one must remember these were pre GDPR/CCPA/BIPA times -- some of the main questions raised were
   • Were credentials to access the TransUnion databases and other systems also exposed?
   • TransUnion chose to report the data breach. At the time there was no real requirement to do so: the California Senate Bill 1386 of 2002, one of the first security breach notification laws, specified a criteria corporations should use to determine whether they were required to report the incident: if they answered "yes" to every single one of the following questions, they must report the breach:
     1. Does their data include "personal information" as defined by the statute?
     2. Does that "personal information" relate to a California resident?
     3. Was the "personal information" unencrypted?
     4. Was there a "breach of the security" of the data as defined by the statute?
     5. Was the "personal information" acquired, or is reasonably believed to have been acquired, by an unauthorized person?
     The late Alan Paller, director of the SANS Institute at the time, warned this test provided a legal loophole for companies not to report data breaches since all 5 conditions have to be satisfied before a report is required.

   So TransUnion is very popular this month, this time in due to a larger issue than possibly being used to send phishign emails.

2. During the Summer of 2019, the personal data of some 37000 Canadians being held in TransUnion servers were compromised. Note that the Canadian Digital Privacy Act, which ammended PIPEDA and provided mandatory breach notification requirements, had become law 4 years earlier. Also, GDPR and CCPA had already become law.
3. On March 12, 2022 ITWeb broke the story of a data breach, which caused TransUnion to admit that attackers had indeed stole 28 million credit records. At first it was believed that more than 3 million South Africans and businesses such as Mazda, Westbank, and Gumtree were affected. The Brazilian group who claims responsibility for this act, "N4ughtysecTU," state it gained access due to a poorly secured (password "Password") TransUnion SFTP server. TransUnion later stated that more than 5 million consumers were actually affected and once again offered a period of free credit reports to the affected customers.
   
4. On November 7, 2022 it reported to the Massachusetts Attorney General about a data breach that could involve 200 million files profiling nearly every credit-active consumer in the United States. On the same day, TransUnion also sent out data breach letters to all individuals whose information it believes was compromised. As this is still developing, the true impact is yet to be learned.

OK, I will stop here. If they had another data breach between Nov 7 2022 and the time this was published, it should not affect the point of this article.

The Outcomes

According to GDPR Recital 75, a personal data adverse effects to a person (individual) include loss of control over their personal data, limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorised reversal of pseudonymisation, damage to reputation, and loss of confidentiality of personal data protected by professional secrecy. So, if TranUnion was an European company or people living in the European Economical Area (EEA) were affected by this personal data breach, as the data controller it would have to submit the Personal Data Breach Notification to the Supervisory Authority should be done within 72 hours unless there is no risk to the freedom and rights of a data subject. In this case, they better be reporting. The next step would be to inform all those who were possibly affected about what happened, what are the consequences to their customers, and what TransUnion is doing about it. Of course, those affected should be expected to file complains with their regional Supervisory Authorities (Art 77).

In The United States things are a bit different. U.S. Supreme Court’s 2021 decision in TransUnion LLC v. Ramirez stated that only those that can show concrete harm have standing to seek damages against private defendants. How will victims of a personal data breach prove their personal information was stolen and disclosed by negligence of the company holding this data, and as a result a violation of American consumer protection and privacy laws such as California Consumer Privacy Act (CCPA) and the Illinois Biometric Information Privacy Act (BIPA)? Compare that with GDPR already mentioned article 77 and recital 141, which requires only the data subject (i.e. the victim in this case) considers that his or her rights are infringed or "supervisory authority does not act on a complaint, partially or wholly rejects or dismisses a complaint or does not act where such action is necessary to protect the rights of the data subject."

With that said, it is possible that will change. Given that the US government and the European Union are currently actively working together to establish a new EU-US data flow deal (PrivacyShield 2?), one must wonder how they will balance this Supreme Court decision with GDPR. Which one will have precedence?

Fun Facts

• I started this article mentioning the phishing campaign they were possibly being used to launch. What if that is related to this data breach? I mean, if your attack has been successful and you are already in the final (Actions on Objective) stage of the cyber kill chain and taking your time to hoover the victim's data, why not see what else you can do while there to pass time?
• In addition to its main line of business, it also offer services to help companies "protect and restore consumer confidence" after a data breach (they do not list an office address there). In fact, they title themselves as the "One-Stop-Shop Incident Response Solution."
• I made those round images representing the 3 regulations mentioned here because I did not have an interesting image to put in this article. They turned out nice, so expect me to make more and use them in future posts. You have been warned!

FBI: Use ad blockers to protect against brand impersonation

Today the FBI just announced, cyber criminals (which are easily recognizable according to the news and many websites for their predilection to wearing hoodies even in the summer) "are using search engine advertisement services to impersonate brands and direct users to malicious sites that host ransomware and steal login credentials and other financial information." Well, there are two parts for that:

Search engine advertising services

We are talking here about Search Engine Optimization (SEO), where you do magic tricks to move your website as close to the top search results since most people will not look more than 2 search page results for something. There are thousands of companies who make money helping businesses with this, including courses, Ez-Button products, and services ("give your url, what do you think you do, and we will take care of the rest for a price). What they are mentioning here is weaponization of that, which has been known as SEO poisoning since 2020. An example of that is when it was used to distribute BATLOADER malware.

Brand Impersonation

This is a traditional phishing tactic and relies on techniques such as (not exhaustive list):

• typosquatting, which creates a fake website whose domain sounds close enough (within a typo or two) to that of a well known website. They pray on people like me, who mistypes a lot: if the browser returns a page that looks like the one victims expect instead of an error page, they may never noticed they are in the wrong site. This kind of attack is old enough -- yet still quite effective -- to be metioned in the 1999 Anticybersquatting Consumer Protection Act (ACPA)
• URL Shortening, which converts long descriptive links into short sometimes cute ones that provide you no idea of where they really came from. Good ad blockers will check these links against lists of known spammers and block them, as shown in the picture below where UBlock origin does not allow a shortened url identified by the Perter Lowe's list of known domains serving ad content, tracking users, spyware servers, and occasionally malware and other nasty purposes.
  
• IDN homograph attack, an attack where tsome of the characters in the url of a website are replaced by similar (think 1 vs l) characters, or those from a different alphabet that look the same in a HTML-formatted email. As a result this can be seen as a more sophisticated version of typosquatting.

This leads the victim to the website containing the malware (think ransomware), some way to steal the victim's login crendentials, or a combination of both.

Is this a new form of attack?

Nope.

Are ad blockers enough to stop this kind of attack?

There are no magic pills. They can only do so much. I recommend stopping and checking the url for a search engine result that smells suspicious. Some of the attacks mentioned above -- typosquatting and homograph -- can even be stopped by pasting the url in a proper text editor (think Notepad for windows or vim in Linux) that will not try to import fonts, and then just looking at them. With that said, I do use UBlock Origin myself; the picture on the top of this article is mine.

Should I panic and flail my arms while running in circles?

You could; if you do, make a video of it.

Do you have links for those apps/extensions you mentioned?

• UBlock Origin: This is the one I myself use with Chromium and Firefox. The official source repo site has links to where to get it for those browsers plus Microsoft Edge, Google Chrome, Opera, and Firefox for Android.
• Adguard for Safari: UBlock Origin no longer works with Safari (last version was Safari 13) since Apple disabled Safari extensions as extensions. Those were replaced with a new "extensions framework" which only allows "content blockers", links bundled as an app which Safari enforces. The next best thing for Safari is Adguard, which is recommended by the UBlock Origin team.

Phishing Is Too Easy - 5: Season to be Scammed Edition

We continue our series on phishing emails. I am glad to say a phisher heard my plead and stepped up to the challenge before Black Friday ended!

We have here an email that claims to be coming from American Express which states there is a problem in my card and I need to click on the link to find out. Let's ignore the fact of wether or not I have an American Express card or this article would have ended right here. The timing was good: lot's of people are going crazy purchasing milliong of trinkets online, and then they receive an email saying their card has a problem. Did they go over the limit? Was it's information stolen?

Good show old boy!

If I had such a card, what should I do next? The answer depends on how much effort we want to put in this:

For the impatient

You can't see in the picture but the From: field looks like this:

From: American Express MyCredit Guide <transunion@em-tuci.transunion.com>

Why would TransUnion, a US consumer credit reporting company, be sending emails for American Express? This should be enough for us to immediately drop this email and move on.

For the willing to spend a bit more time

First of all, when in doubt of whether a suspicious email is legit or not, find the official contact number/email of the company in question and reach out to them. In this case, I did call them. American Express said if they send an email, it will contain

• Your name.
• The last 4 digits of your card.

This email only contains the first name, so per American Express, it is at best suspicious. They did ask me to forward it to spoof@americanexpress.com, which I did.

For those with time to deep dive and ponder on the implications

Some of you may remember that TransUnion suffered a data breach recently. What if this data is being used to create targeted phishing email? And, what if the criminals are able to either impersonate transunion email addresses or still have access to their servers so they can send emails through their servers? To answer that we need to look in the email header:

ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@em-tuci.transunion.com header.s=scph0919 header.b="ou/BSRUG";
       spf=pass (google.com: domain of msprvs1=19329inrhx0ms=bounces-266758@bounce.em-tuci.transunion.com 
designates 147.253.210.36 as permitted sender) smtp.mailfrom="msprvs1=19329inrhX0MS=bounces-266758@bounce.em-tuci.transunion.com";
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=em-tuci.transunion.com
Return-Path: <msprvs1=19329inrhX0MS=bounces-266758@bounce.em-tuci.transunion.com%lt
Received: from mta-210-36.sparkpostmail.com (mta-210-36.sparkpostmail.com. [147.253.210.36])
        by mx.google.com with ESMTPS id 62-20020a630141000000b004778207ac4dsi7561754pgb.396.2022.11.26.12.06.50
        for Clueless Sheep
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 26 Nov 2022 12:06:50 -0800 (PST)
Received-SPF: pass (google.com: domain of msprvs1=19329inrhx0ms=bounces-266758@bounce.em-tuci.transunion.com designates 147.253.210.36 as permitted sender) client-ip=147.253.210.36;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@em-tuci.transunion.com header.s=scph0919 header.b="ou/BSRUG";
       spf=pass (google.com: domain of msprvs1=19329inrhx0ms=bounces-266758@bounce.em-tuci.transunion.com designates 147.253.210.36 as permitted sender) smtp.mailfrom="msprvs1=19329inrhX0MS=bounces-266758@bounce.em-tuci.transunion.com";
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=em-tuci.transunion.com
X-MSFBL: fXbaPXh+ne/E8ZM3Y6OyFt9TLlavvIujqeENrG6IrbY=|eyJyIjoicmF1YnZvZ2V sQGdtYWlsLmNvbSIsIm1lc3NhZ2VfaWQiOiI2MzgxZGE3MTgyNjM0YmI3ZmY3ZiI sInN1YmFjY291bnRfaWQiOiIwIiwiY3VzdG9tZXJfaWQiOiIyNjY3NTgiLCJ0ZW5 hbnRfaWQiOiJzcGMifQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=em-tuci.transunion.com; s=scph0919; t=1669493210; i=@em-tuci.transunion.com; bh=g54YI3MysS1MVd8EV8xjgfkc97E2Z2epcQAJzoXhCkw=; h=To:Message-ID:Date:Content-Type:Subject:From:List-Unsubscribe:
	 From:To:Cc:Subject; b=ou/BSRUG3cUbJKbYUZ1LVr3J0Z3xP7nFJPUjPutaxPAlyQU2bd2vFDbfNHxdU0LbB
	 HxEwc9YzSTrKnrbFfjcLwSxfZk48k6br1t4DI9fsDgWAimdohpxIGKK6ukD2NE1q/L
	 SESZw9WVeXNvoEVjsYIPh67accGucYF32laIH8ICsqeopmxSoaxsrjHBa/MBjqYZAz
	 8r+jHG+Ilr/QzlJ0Lq5rGA/hJGnHR3lPbkuVRFBsrnV9841IbsIpQDVOUdW172sQbQ
	 zZ+JErYKYYvpwmjqd6A4XMPu3TG9QcymMjHHYqcXRmtL4OdKzB8GKtksDI4uLakZkw
	 8HR0NVWvPUjzQ==

At first glance it seems the email came straight from TransUnion, specifically from the host called em-tuci.transunion.com. But, then we find the most interesting entry in the above header exerpt (which I highlited):

Received: from mta-210-36.sparkpostmail.com (mta-210-36.sparkpostmail.com. [147.253.210.36])

It seems this email came from mta-210-36.sparkpostmail.com, whose IP (147.253.210.36) has been whitelisted by bounce.em-tuci.transunion.com as a sender. From there it ends up in the Clueless's gmail account relying on transunion's server's relationship with google's.

But, who is SparkPost?

Short version, it is a mass emailing service. They seem to be well-known enough for Microsoft to have instructions on how to access them using a connector from within Azure. Does that mean they were compromised or the attackers obtained the TransUnion's credentials to use this service?

So, is this Spearphishing via Service (T1566.003)?

If we read the MITRE ATT\&CK® entry, sounds like a very good possibility.

Some kind of Conclusion

Even though this phishing email was much more well thought out than that insult mentioned in the last entry of the series, if you stop and examine it -- without first clicking on its links -- you can still identify it as such rather quickly, without needing to tear down through its raw contents. Don't get me wrong: doing that is fun, but if you are trying to go trhough your daily routine and see this email, in less than 5 minutes you can make a call of whether it is legit or suspicious.

Ok, more if you have to wait on the phone listening to elevator music to talk to a company to verify if they sent said email.