Credit rating giant TransUnion has suffered a data breach, which has impacted the personal information of nearly 4.5 million Americans.
The firm revealed that unauthorized access was gained to a third-party application serving its US consumer support operations in a notification letter to impacted customers.
The information was limited to specific data elements and did not include credit reports or core credit information.
TransUnion has not publicly provided any more details on the nature of the breached data.
“We regret any concern caused by this incident and take seriously the responsibility to help secure consumer information,” the credit agency wrote.
Notified customers are being offered free access to credit monitoring and proactive fraud assistance services.
“TransUnion takes the protection of personal information seriously, which is why we engage in robust, proactive security measures. We continue to enhance our security controls as appropriate to minimize the risk of any similar incident in the future,” the company added.
According to a filing to the Office of the Maine Attorney General, the breach occurred on July 28 and was detected two days later on July 30.
TransUnion has been affected by other data breach incidents in recent years. In 2022, it confirmed that an attacker broke into an isolated South African server and stole personal data relating to around five million customers.
In September 2023, a threat actor known as “USDoD” published a 3GB database purportedly containing the personally identifiable information (PII) of 58,505 TransUnion customers.
The agency subsequently reported that no data was exfiltrated from its systems, suggesting it may have been a supply chain compromised.
Third-Party Data Breaches Continue to Grow
The latest TransUnion incident follows a number of other high-profile data breaches resulting from the compromise of third parties in recent months.
An attack on procurement service provider Chain IQ breached data from banking giant UBS in June 2025.
In July, insurance firm Allianz Life revealed the majority of its 1.4 million US customers had personal data stolen after a threat actor gained access to a third-party, cloud-based CRM.
Australian airline Qantas disclosed a data breach affecting nearly six million customers after hackers gained access to a third-party customer service platform in July.
Two cybercriminal groups, Scattered Spider and ShunyHunters, have been linked to a number of attacks of this nature, specializing in compromising third-party IT and cloud providers through social engineering techniques.
These groups are affiliated to The Com – a loosely organized online criminal network involving thousands of English-speaking individuals.
Image credit:JHVEPhoto / Shutterstock.com