Credit bureau TransUnion said Thursday that more than 4 million people’s data was exposed in a recent hack involving an unidentified third party.
In a letter dated earlier this week and posted to the website of Maine’s attorney general, the company said it had “recently experienced a cyber incident involving a third-party application serving our U.S. consumer support operations.”
In a statement, TransUnion said it had “quickly contained the issue, which did not involve our core credit database or include credit reports.”
Maine legally requires disclosures for certain kinds of breaches affecting its residents. The name of the third party application was not disclosed, but U.S. corporations have recently seen waves of compromises as hackers trick employees into opening up their respective employers’ Salesforce databases.
A Salesforce representative did not immediately return a message seeking comment.
The hack included “any personal information” provided in connection with applications or was collected during students’ studies, according to drafts of letters from the university to potentially affected individuals. That includes contact details, demographic information, academic history, financial aid-related information and insurance and health-related data shared with the university, the letters state.
The university’s investigation is ongoing and the school is still working to determine the number of individuals impacted, a Columbia official said Friday. The school will continue to notify people who have been affected, the official said.
The details were included in reports Columbia made Thursday to state officials in Maine and California, according to the websites of their attorneys general. Both states require organizations to report breaches “without unreasonable delay” when their residents’ data is involved.