Recently, in the process of trying to temporarily unfreeze our credit reports so we could apply to something or other I don’t recall, we discovered that my wife’s TransUnion account was broken and inaccessible as a result of the most recent of a long string of changes TransUnion has made to their end-user-facing web apps. My wife had to spend a long time on the phone with TransUnion to get it fixed.
This, of course, means that she was one of the victims of their recent SalesForce / Drift security breach.
A few days ago, my wife received this letter from TransUnion (highlighting added by me; image follows, text is at the bottom of this blog posting, for those who need it):
Let’s talk about all the ways this is terrible.
First and foremost, of course, is the fact that this breach occurred in the first place. The credit reporting agencies have had breach after breach after breach, with no end in sight. It is patently obvious at this point that they aren’t and never will be secure enough until there are adequate financial incentives in place to make it more expensive to keep allowing these breaches to happen than it would be to do what it takes to prevent them.
“But this one isn’t actually TransUnion’s fault, it’s SalesForce’s!” Nope. TransUnion is responsible for ensuring that the third-party vendors they use have adequate security. TransUnion is responsible for not outsourcing functions that cannot be adequately secured by third parties. TransUnion is ultimately responsible for the security of the data it holds.
Moving on, look at the first heading I highlighted above, “What happened?” Now look at the text following it. There isn’t a single word about “what happened.” I only know it’s the SalesForce breach because I’m an information security professional who follows the news about stuff like this. The vast majority of the people who receive this letter will not have a clue how this happened. Putting the section header “What happened?” in your breach notification letter does not actually satisfy your obligation to tell victims what happened. YOU ACTUALLY HAVE TO TELL THEM WHAT HAPPENED.
Similarly, look at the section headed “What we are doing.” Do you see any concrete information in that section about what they are doing to prevent similar breaches in the future? Of course not, it’s just meaningless generalizations and platitudes, because, as we all know, they are doing NOTHING. They will face no repercussions for the breach, it will barely make a blip in their profit, and nothing will change.
Heck, they don’t even need to pay a third-party service to provide the fraud assistance and remediation service they’re offering to consumers who were impacted by this breach, because they’ve farmed out responsibility for that to a company they own. “You couldn’t trust us to keep your data safe, but you should trust us to help you deal with the fallout,” is certainly a thing a company can say, but whether anybody actually believes it is a different question entirely.
TransUnion wants to tell us about “Steps You Can Take to Help Protect Your Personal Information.” Please forgive me for momentarily resorting to profanity as I say, hey, TransUnion, you can fuck off into the sun with that noise. This breach and what you are doing about it plainly demonstrates, for the nth time, that there is nothing anyone in the U.S. can do to adequately protect their personal information, short of dropping off the grid and living in a log cabin in the woods. Until we have meaningful federal data privacy laws (which remains unlikely to ever occur) with substantive penalties for companies failing to protect consumer data, this is going to keep happening, and there’s nothing we can do about it.
Finally, I want to point out the absolutely amateurish formatting of this breach notification letter, which is in my opinion indicative of the competence (or lack of same) of the people managing this breach (and, therefore, of how important TransUnion really thinks it is to manage the breach competently):
- As I’ve already mentioned, neither the “What happened?” nor “What are we doing.” sections contain the content they should.
- “Notice of Data Incident” should be bold, or in a larger font, or both.
- The leaked information also obviously included people’s names, but they don’t mention that in the “What information was involved?” section.
- They wrote “8a.m.” without a space, followed immediately by “8 p.m.” with a space.
- While we’re on the subject, when a time range is written out like that, it should use an en dash, not a hyphen.
Are some of these minor, petty issues. Absolutely. But in my experience, “minor, petty issues” like this are a strong signal about a company’s overall competence. In other words, maybe these things don’t matter a lot, but they’re a pretty good indicator about the things that do.
UPDATE: Cyberscout is just as bad at security as the rest of TransUnion
The login process at Cyberscout, for accessing the free credit monitoring offered by TransUnion as a result of this breach, uses outdated practices:
Everything about this is wrong:
- “Update this frequently to keep your account secure” — No! We’ve known for decades that making people change passwords frequently reduces security rather than increasing it. NIST security standards specifically say not to do this.
- Enforcing password quality by requiring specific character classes — No! There are better ways to enforce password quality without requiring arbitrary types of characters. NIST security standards specifically say not to do this.
- Using security questions for backup authentication — No! This has never been secure and is even less so now that everybody’s data is out there thanks to the never-ending flow of security breaches. NIST security standards specifically say not to do this.
They also only support emails, voice calls, and SMS for two-factor authentication:
This is also no longer considered secure and is explicitly deprecated by NIST security standards.
The security posture of any company which is still doing the above things in 2025, especially a company whose entire reason for existence is, ostensibly, cybersecurity and privacy, cannot be taken seriously.
Here is the text of the letter pictured above:
TransUnion Event
c/o Cyberscout
P.O. Box 1286
Dearborn, MI 48120-9998
[personal information elided]
September 9, 2025
Notice of Data Incident
To [name elided]:
We are writing to make you aware of recent unauthorized access to some of your personal data. We are providing details about the resources we are providing to assist you.
What happened?
We regret any concern caused by this incident and take seriously the responsibility to help secure consumer information. Below you will find information on what we have done to prevent further improper access, as well as steps you can take to help protect your personal information.
What information was involved?
The information was limited to specific data elements and did not include credit reports or core credit information. In your case, the information involved included your SSN and DOB.
What we are doing.
TransUnion takes the protection of personal information seriously, which is why we engage in robust, proactive security measures. We continue to enhance our security controls as appropriate to minimize the risk of any similar incident in the future.
What you can do.
In response to the incident, we are providing you with access to credit monitoring services that will alert you whenever there is a change to your credit file. We are offering these services at no charge for 42 months from the date you enroll.
We are also providing you with proactive fraud assistance to help with any questions that you might have now or in the event that you become a victim of fraud. These services will be provided by Cyberscout, a TransUnion company specializing in fraud assistance and remediation services.
If you have any questions about this matter or would like additional information, please refer to the enclosed Steps You Can Take to Help Protect Your Personal Information or call toll-free 1-800-516-4700. This call center is open Monday through Friday from 8a.m.-8 p.m. Eastern Time, except major holidays.
Sincerely,
TransUnion Consumer Relations
