In a Nutshell: TransUnion has a 50-year legacy as a credit reporting agency, but its positive impact extends to all business sectors where consumer identity is a factor. That includes protecting business data against reputational threats through its global incident response team. TransUnion draws on a holistic understanding of the global transactional space to deploy breach fulfillment and forensic solutions that prevent and mitigate the impact of data breaches and, ultimately, help companies act with confidence and earn consumer trust.
Most people probably think of TransUnion as one of the three major US credit reporting agencies responsible for producing consumer payment history information for lenders making credit decisions.
That’s true, and VantageScore credit-score model (which is partially owned by TransUnion) offers a distinct perspective on creditworthiness for more nuanced decision-making.
But as important as those services are, they’re part of a larger story of TransUnion responding to digital and market transformation to evolve into the diverse company it is today.
TransUnion draws on its 50-year legacy as a financial data producer and analyst to offer information and insights to more than 65,000 business customers in diverse industries where understanding consumer and customer identity is essential. Its Tru™ suite of seven global product lines delivers solutions for marketing, fraud prevention, risk management, advanced analytics, consumer engagement, investigations, and communications.
As a data-focused company, TransUnion can now enable financial institutions, employers, government agencies and other organization to empower and protect their customers and employees with a wide range of solutions, including credit monitoring, dark web monitoring, identity protection solutions, and remediation services.
When something threatens the data a company is responsible for, TransUnion helps business clients engage and protect their customers and employees through identity protection and management services, including robust incident response solutions delivered through a team led by Nate Spurrier, Vice President, Global Incident Response at TransUnion.
“When a security incident exposes consumer personal information, an event evolves from what may require a simple security patch to a now highly regulated privacy incident,” Spurrier said. “We provide our clients with compliance-based identity protection solutions to reinforce customer protection, protect brand health, and enable business continuity.”
Expert Guidance Minimizes Business Disruption
In addition to drawing on its legacy, TransUnion has clarified and enhanced its approach through acquisition. Spurrier served as Senior Business Development Director, Global Incident Response at CyberScout when Sontiq acquired that company in 2021. TransUnion then acquired Sontiq, enabling TransUnion to accelerate market outreach with proactive incident response solutions.
“We’re driving awareness of where we fit in the breach fulfillment space by supporting any privacy incident that might occur,” Spurrier said.
The problem for businesses is that data breaches, ransomware attacks, and other accidental and deliberate incidents are more prevalent than ever. Fortunately, TransUnion’s deep and broad understanding of the data landscape positions it to effectively assess and respond to incidents.
On the forensic side, TransUnion’s Incident Response team provides investigative and remediation services to assess and fix what happened. But it spends most of its time in the consumer protection business, working with clients to manage regulatory requirements to notify and support customers and individuals impacted by security incidents.
“It’s a large and complicated space that varies on a state-by-state basis in the US and on an international basis in the EU and elsewhere,” Spurrier said.
Dedicated incident coordinators work with privacy counsel to ensure TransUnion manages those variations to facilitate a successful response from start to finish. The notification process then informs individuals through various channels per regulation.
TransUnion works directly with impacted businesses to help them understand how to best communicate with the individual impacted by a privacy incident. It often sets up a call center to allow consumers to call in and ask questions. Furthermore, regulations often require companies to offer credit monitoring and identity protection services when certain types of sensitive information are exposed, and TransUnion facilitates that too.
“Our incident response service fits very well with TransUnion as a brand,” Spurrier said. “As one of the three major US credit bureaus, we are able to not only help businesses with a plan of action for mitigating cyber incident damage, but we can support the impacted individuals as well.”
Anticipating and Responding to Evolving Threats
That position naturally results in Spurrier and the incident response team gaining copious institutional knowledge about evolving security threats and the data landscape. Spurrier said third-party breaches are among the most insidious due to the inevitability of inter-company partnerships and customer relationships.
Third-party involvement increases the number of moving parts in incident response. Providing consistent information access and coordination becomes an issue, as does meeting regulatory requirements when information may be incomplete.
While large organizations may have the resources to monitor partnerships and relationships and ensure everyone’s on the same page security-wise, smaller businesses are often at the mercy of forces beyond their control.
“Even if you double down on your security footprint, hire additional staff, and acquire better monitoring tools, you can’t guarantee that outside organizations with access to your data will do the same,” Spurrier said. “If they have a breach, it’s much more complicated to find out how it happened, assess the damage, and respond.”
Meanwhile, threat actors are continually upping their game and growing more sophisticated and targeted in their approach. For example, Spurrier said a new trend has ransomware fraudsters aiming at insurance companies and other financial institutions in an effort to gain leverage in their demands. Once they’re in, they attempt to gain access to a list of potential targets and determine much insurance coverage they have to pay ransom demands.
The bottom line is that fraudsters keep getting better and better. It takes resources and a comprehensive view to anticipate new threats in time to mitigate them.
“Their goal is to know how much to extort in ransom because they know the company’s coverage and won’t negotiate,” Spurrier said. “Threat actors are changing their tactics to access upstream information to require higher payments for themselves in the form of increased ransom payments.”
Ensuring Compliance and Effective Communication
As a highly regulated business with a long history of institutional involvement, TransUnion understands business compliance and works to match its response to each client’s unique needs. It’s one of the many ways partnering with an incident response provider with global reach ensures an optimal response.
That can take many forms. For example, all US states have strict consumer notification requirements when sensitive personal data is exposed. However, some states prioritize informing affected individuals as quickly as possible, while others prioritize more deliberate timelines.
Similarly, while the US typically requires companies to notify impacted individuals with physical letter, the requirements of the EU’s General Data Protection Regulation (GDPR) allows for electronic notifications, while including other strictures regarding how and when communication can occur and to what extent.
Those varying regulations can introduce some confusion in a company’s response to a security incident. The TransUnion Incident Response team can help a company work with its privacy counsel to navigate the different regulatory requirements to ensure a seamless incident response and rectification process.
Customers can encounter TransUnion’s incident response or identity protection and restoration services through employers, retailers, and other organizations with access to their data. That could be anyone, given the data-centric reality of today.
“If you have employees, customers, vendors, contractors, or applicants, your data is at stake,” Spurrier said. “From a reputational standpoint, data breaches can cause significant damages that some companies never recover from.”