A malicious actor used stolen credentials to access a web portal operated by credit reporting agency TransUnion Canada and then used that portal to access consumer files.

This week, BleepingComputer posted a report containing scanned images of a disclosure notification that TransUnion Canada has begun mailing out to affected consumers.

The notification, dated Sept. 19, an online intruder obtained an access code and password used one of TransUnion Canada's business customers, the Winnipeg, Canada-based financial institution CWB National Leasing. This gave the illegal party access to consumers' credit file information from a time period of June 28 through July 11 of this year.

In order to look up files on a specific consumer, the attacker first would have had to input certain personal information regarding that particular individual. According to TransUnion, the offender was, in fact, able to acquire personal data on certain consumers – including Social Insurance Numbers – from an unknown third-party source, prior to looking them up in the portal.

TransUnion's records of consumers typically include one's names, birth date, current and former addresses, information related to credit and loan obligations (including payees) and credit re-payment history, but not account numbers.

TransUnion's systems themselves were not breached. The company says that in response to the incident, it terminated the compromised login credentials and contacted the Office of the Privacy Commissioner of Canada. It also is offering victims two years of free ID theft insurance, and will ensure that any unauthorized look-ups of consumers' files will not count toward one's credit report.