TransUnion suffers data breach impacting over 4.4 million people

Consumer credit reporting giant TransUnion warns it suffered a data breach exposing the personal information of over 4.4 million people in the United States. TransUnion is one of the three major credit bureaus in the United States, alongside Equifax and Experian. It operates in 30 countries, employs 13,000 staff, and has an annual revenue of $3 billion. It collects and maintains credit information on over 1 billion consumers worldwide, with approximately 200 million of those based in the U.S. This information is shared with 65,000 businesses, including lenders, insurers, and employers. According to a filing submitted to the Office of the Maine AG, the breach occurred on July 28, 2025, and was discovered two days later. A sample of the notifications distributed to impacted clients earlier this week specifies that the incident involved a third-party application serving the company's consumer support operations. "We recently experienced a cyber incident involving a third-party application serving our U.S. consumer support operations," reads the data breach notice. "The unauthorized access includes some limited personal information belonging to you." The data exposed in this incident was "limited" according to the company, although what exactly it might entail hasn't been specified in the sample notification. Instead, the letter underlines that no credit reports or core credit information were exposed in this incident. TransUnion is now offering those impacted 24 months of free credit monitoring and identity theft protection services. A wave of Salesforce data theft attacks has impacted numerous companies this year, including Google, Farmers Insurance, Allianz Life, Workday, Pandora, Cisco, Chanel, and Qantas. These attacks have been conducted by the Shiny Hunters extortion group, and more recently, by a cluster tracked as UNC6395. BleepingComputer contacted TransUnion with questions about whether this breach was related to Salesforce, and we will update this article if we receive a response. Two years ago, a threat actor claimed a data breach at TransUnion, which the company rejected, saying that the data had been stolen from a third party. In previous years, the company's South African and Canadian branches suffered cybersecurity breaches that exposed customer information.