4M+ exposed in TransUnion third-party data breach

TransUnion, one of America’s top three credit reporting agencies, reveals that millions of its US customers were exposed after hackers breached a third-party application.

The credit reporting agency has started reaching out to individuals impacted by a recent data breach. Information that the company submitted to the Maine Attorney General’s Office indicated the data breach happened on July 28th, 2025, and was discovered two days later.

TransUnion’s data breach notification, sent out to impacted individuals, says that TransUnion itself was not breached. Rather, the company’s third-party service provider suffered a hacker attack, which exposed TransUnion’s customers.

“The incident involved unauthorized access to limited personal information for a very small percentage of U.S. consumers. We are working with law enforcement and have engaged third party cyber security experts for an independent forensics review,”

the company told Cybernews.

“We are writing to make you aware of a cyber incident involving unauthorized access to some of your personal data that was stored on a third-party application. Importantly, no credit information was accessed,” TransUnion’s letter says.

Over 4.4 million TransUnion customers may have had their personal details exposed. According to the company, exposed details were limited to “specific data elements” that vary from person to person. TransUnion might not even know what customer data was exposed, due to a possible investigation into the attack.

Companies that suffer cyberattacks often hire external support to help them sift through data and uncover what data point were exposed to malicious actors.

TransUnion could not clarify what type of customer data was exposed. However, the company told Cybernews that the malicious incident involved personal information of “a very small percentage of US consumers.”

“The incident involved unauthorized access to limited personal information for a very small percentage of U.S. consumers. We are working with law enforcement and have engaged third party cyber security experts for an independent forensics review,” the company told Cybernews.

To help customers mitigate potential risks, TransUnion said it will provide impacted users with credit monitoring services, which implies that the exposed details likely include more than just customer names.

At least in theory, attackers could leverage information about TransUnion’s customers to attempt phishing attacks by crafting convincing emails that impersonate the company.

A supposedly “urgent” letter from a credit rating agency could push some into hasty responses – exactly what hackers want. In these types of attacks, cybercriminals’ main goal is to lure any additional details they can or to deploy data-stealing malware.

Last year, the company’s subsidiary, TransUnion Risk and Alternative Data Solutions (TRADS), reported suffering a social engineering attack involving “individuals misrepresenting themselves to gain access” to the company’s products and customer data.

Another data security incident impacted TransUnion’s international credit bureau. Reportedly, a Brazilian hacker collective, N4aughtysecTU, claimed responsibility for an attack against TransUnion’s South African division, allegedly stealing four terabytes of data.

Attackers demanded the company cough up a hefty $15 million ransom in bitcoin, or they would publish the data. TransUnion South Africa said it would not pay the ransom.

TransUnion is a credit reporting behemoth, with reported annual revenue exceeding $4 billion. Together with Experian and Equifax, the company is among the largest market players in the United States. According to he company, it covers credit histories of over 260 million US adults.

FAQ

Updated on August 28th [01:25 p.m. GMT] with a statement from TransUnion.