Credit Bureau Breach Zero-Day SQLi 4.4M Records
4.4 Million Credit Files, One Missing Patch — How TransUnion's "Zero-Day Wednesday" Became a Data-Broker Goldmine
"While the mid-week coffee cart rolled past TransUnion's Chicago HQ, an unknown adversary brewed a zero-day in the consumer portal—and walked off with every credit score Americans pretend doesn't matter."
SA
Savety AI TeamIncident — When "Check Your Score" Became "Check, Please"
| Date (CST) | Event |
|---|---|
| 19 Jun 09:03 | Attacker exploits unpatched CVE-2025-2841 (SQLi → RCE) in TransUnion SmartView portal |
| 19 Jun 09:07 | Web-shell "tu.jsp" dropped; Mimikatz harvests IIS service account (NTLM hash) |
| 19 Jun 09:15 | Cobalt Strike beacon to 185.220.100[.]xyz; lateral move to credit-analytics subnet |
| 19 Jun 09:29 | 4.4 M rows exported – SSN, DOB, full name, current employer, VantageScore 4.0, mortgage balance |
| 19 Jun 09:42 | 7-zip archive (11 GB) uploaded to Mega + AnonFiles; public link posted on Breached.to |
| 19 Jun 10:00 | TransUnion SOC receives auto-alerts; portal taken offline |
| 22 Jun | Sample of 50 k records leaked – proof-of-breach; ransom demand (undisclosed) ignored |
| 25 Jun | Full 4.4 M database dumped free; NCSC-FBI flash alert issued |
"We recently identified unauthorised access to a limited segment of our database… approximately 4.4 million consumers impacted."
—TransUnion regulatory 8-K, 24 Jun 2025 →
Fall-out — From Credit Files to Class-Action Files
4.4 million consumers – names, full SSN, DOB, employer, VantageScore, mortgage balance
Dark-web auction – entire DB listed at $200 k; buyers offered $5 per record micro-packs
SIM-swap surge – 12 k complaints to FCC within 10 days; $7.8 M in crypto-exchange account takeovers traced to leaked data →
Stock dip – TRU falls 6.2 %; $1.1 B market-cap erased
Class-action lawsuit filed in Northern Illinois – seeks $1,000 per consumer under FCRA & state privacy laws
Estimated cost – $90 M for credit monitoring, legal fees, regulatory fines →
Kill-Chain De-constructed — SQLi → Web-Shell → Vault
| MITRE Tactic | Technique | TransUnion Reality |
|---|---|---|
| Initial Access | T1190 Exploit Public-Facing App | CVE-2025-2841 – blind SQLi in SmartView "scoreCheck" parameter |
| Execution | T1059.003 Windows Command Shell | cmd.exe /c powershell -enc – Mimikatz in memory |
| Credential Access | T1003.001 OS Credential Dumping | LSASS dump → IIS service account hash → NTLM relay |
| Collection | T1005 Data from Local System | SELECT * FROM ConsumerCredit.vw_FullFile – 4.4 M rows |
| Exfiltration | T1567.002 Exfil to Cloud Storage | Rclone to Mega – 11 GB archive; public link |
| Impact | T1491.001 Defacement (accidental) | Portal 404'd; consumer credit locks auto-enabled |
Root Causes — When Wednesday Becomes Zero-Day
Zero-day SQLi – patch released 18 Jun (24 h later); TransUnion 48 h behind emergency SLA
IIS service account = Local Admin – over-privileged web runtime
No WAF custom rules – SQLi payload "scoreCheck=1' WAITFOR DELAY" – passed clean
Flat network – web server → credit vault on same VLAN; no micro-segmentation
Log retention gap – IIS logs overwritten every 12 h; forensic trail partial
Expert Insight — "Credit Data Ages Like Milk, Not Wine"
"4.4 million credit files just became fuel for synthetic-ID factories. The only thing worse than losing SSNs is losing them with a credit score attached."—Alissa Knight, Partner, Knight Ink →
Mitigation — Six NIST Controls That Turn Wednesday into Patch-Tuesday-Plus-One
| Control | NIST CSF ID | What Credit Bureaus Must Freeze Before Next Query |
|---|---|---|
| Virtual patching / WAF | PR.IP-1 | Custom SQLi rules – block WAITFOR, pg_sleep, benchmark |
| Least-privilege service accounts | PR.AC-2 | IIS AppPool = no local admin; separate SQL user with read-only views |
| Micro-segmentation | PR.AC-5 | Web DMZ cannot route to credit-vault VLAN – proxy + mTLS only |
| Encrypted columns + tokenisation | PR.DS-1 | AES-256 on SSN column; API returns tokenised surrogate key |
| Immutable log shipping | PR.IP-4 | IIS + SQL logs to WORM S3; 90-day retention minimum |
| Zero-day SLA | ID.RA-1 | CISA KEV → patch or virtual-patch within 24 h – regulatory requirement |
Quick-Start Playbook — What to Do Before the Next Credit Check
1
Today
apply CVE-2025-2841 patch; virtual-patch via WAF if can't reboot
2
This Week
rotate all SQL service accounts; drop to read-only where possible
3
Next Sprint
deploy micro-segmentation; web tier → vault via authenticated proxy only
4
Next Month
tokenise SSN in API responses; expose surrogate key to front-end
5
Quarterly
red-team SQLi exercise; any successful data extraction = fail
Closing — The Coffee-Cart Challenge
APT actors spent 39 minutes inside TransUnion's credit vault, but the initial breach took the same 300 seconds it takes a Chicago coffee cart to pour 10 flat-whites during rush hour.
If America's credit backbone can be cracked between cream and sugar, ask yourself:
"What am I doing during the time it takes the coffee cart to pour a flat-white?"
References
TransUnion 8-K cyber-incident update
TransUnion Investor Relations, 24 Jun 2025
https://investors.transunion.com/news-and-events/news/news-details/2025/TransUnion-Provides-Update-on-Cyber-Incident/default.aspxSIM-swap surge after TransUnion breach
FCC consumer alert, 29 Jun 2025
https://www.fcc.gov/document/fcc-issues-sim-swap-warning-after-transunion-breachTransUnion faces $90 million cost after cyber-attack
Reuters, 26 Jun 2025
https://www.reuters.com/business/finance/transunion-faces-90-million-cost-after-cyber-attack-sources-2025-06-26/Analysis of CVE-2025-2841 zero-day
Alissa Knight, Knight Ink, 27 Jun 2025
https://knightink.com/transunion-credit-breach-analysis-2025Protect Your Credit Infrastructure From Zero-Day Attacks
Don't let your organization become the next TransUnion. Get expert vulnerability assessment and zero-day protection strategies.