TransUnion has filed data breach disclosures with the attorney general’s offices of Texas and Maine. According to the filings submitted to the authorities, a data breach affecting millions of TransUnion customers occurred on July 28, 2025, and was discovered a couple of days later. Unknown hackers have stolen the personal information of nearly 4.5 million TransUnion customers. The exposed sensitive information was improperly stored on a third-party application. Currently, there is no information available on who is behind the attack and whether the stolen data has already been used for fraudulent activities. This is not the first time bad actors have targeted data belonging to the Chicago-based credit reporting agency.
You might be interested in: 15 Tips to Protect Personal Information Online for 2023
Key takeaways
- A major credit bureau, TransUnion, was hacked on July 28, 2025. The incident was discovered on July 30, 2025.
- The number of affected individuals is upwards of 4 million. The exposed details of some of the victims include Social Security Numbers (SSN), full names of the victims, and date of birth (DOB).
- Details about the accident, such as who is behind the attack and why it took days for TransUnion to discover the breach, remain a mystery
- TransUnion has advised its customers to be vigilant for suspicious behavior and to take advantage of the 2-year free access to TrueIdentity online credit monitoring services
Was TransUnion hacked again?
The major credit agency has not been directly hacked, but details belonging to millions of its customers were exposed by a third-party vendor on July 28, 2025. Bits and pieces of information belonging to nearly 4.5 million Americans were exposed to cyber criminals. In TransUnion’s filing to the state of Maine, company representatives have stated that ‘no credit information was accessed’. However, the residents of Maine are only a small percentage of the millions of people affected in the breach. The data breach filing in Texas lists various types of exposed information, including SSNs, DOBs, and full names. The number of affected Texans is more than twenty times higher than the number of victims residing in Maine.
How bad is the TransUnion cybersecurity accident?
According to the Maine filing, the total number of affected individuals is 4,461,511. TransUnion reports that approximately 17,000 Maine residents and 358,000 Texas residents are affected by the cyber incident. Although TransUnion is the smallest of the three major credit bureaus in the USA, the Illinois-based credit consumer reporting agency has more than 260 million clients on file and plays a significant role in shaping the credit ratings of nearly all adult Americans.
Who is responsible for the TransUnion data breach?
The identity of the perpetrator(s) has not been revealed yet. TransUnion is collaborating with law enforcement agencies to gather more information about the attack. There is no definitive answer to whether the attack was state-sponsored or carried out by a money-driven hacker organization. There is no clarity about the whereabouts of the rest of the victims – it is very likely that, apart from the victims in Maine and Texas, there are affected residents from other states such as California, Illinois, and New York.
What does TransUnion want victims to do?
Affected customers have begun receiving letters with more details about the incident. And the type of information that was exposed to the bad actors. TransUnion recommends that victims monitor their credit reports for fraudulent activity and invites them to utilize the company’s credit monitoring tool, TrueIdentity. TransUnion has agreed to provide 24 months of free credit monitoring to all the affected customers.
Luckily, not all affected individuals saw all their most sensitive information stolen. Some of the information exposed to the hackers did not include people’s SSNs, full names, or dates of birth. However, information belonging to everyone was exposed. Fraudsters will likely attempt to piece together the available data points to commit fraud. Having all your connected devices safely protected would undoubtedly make it harder for criminals who are looking to gain access to the whole picture, as proper antivirus coverage prevents them from revealing additional information about you and the rest of the victims.