TransUnion Data Breach Exposes 4.4 Million Social Security Numbers, Two Class Action Lawsuits Filed

ByAll About Lawyer Reading Time: 9 minutes

TransUnion disclosed a data breach affecting 4,461,511 individuals after hackers accessed names, dates of birth, and Social Security numbers through a third-party Salesforce application on July 28, 2025. Two separate class action lawsuits have been filed in Illinois federal court seeking compensation for affected consumers. If you received a breach notification letter from TransUnion, you may be entitled to damages for identity theft risk, fraud losses, credit monitoring costs, and time spent protecting your information.

What Information Was Exposed?

The breach compromised highly sensitive personal data:

  • Names
  • Dates of birth
  • Social Security numbers
  • Billing addresses
  • Email addresses
  • Phone numbers
  • Customer support-related information

TransUnion emphasized its core credit database and credit reports were not accessed, but the exposed data is enough for identity thieves to open fraudulent accounts, file false tax returns, or commit other crimes in your name.

How Did the Breach Happen?

On July 28, 2025, unauthorized actors gained access to a third-party application used by TransUnion for U.S. consumer support operations. TransUnion discovered the breach two days later on July 30.

The breach was linked to a Salesforce OAuth exploit. According to reports from Google’s Threat Analysis Group and UpGuard, attackers exploited authentication tokens from integrated applications, bypassing login safeguards to access customer relationship management (CRM) data.

The hacker group ShinyHunters has been identified as responsible for the Salesforce data theft attacks.

Two Class Action Lawsuits Filed

First Lawsuit: Sevigny v. TransUnion LLC

Crystal Sevigny filed the first class action on September 8, 2025, in Illinois federal court, alleging TransUnion failed to properly secure and safeguard customer information.

The lawsuit claims:

  • Negligence in protecting personal data
  • Violations of state and federal consumer protection laws
  • Failure to implement adequate cybersecurity measures
  • Leaving class members vulnerable to identity theft and fraud

Second Lawsuit: Herships v. TransUnion LLC
 Case No. 1:25-cv-15428

Howard Herships filed a second class action recently in Illinois federal court with similar claims. Herships specifically argues TransUnion’s reliance on undisclosed third-party vendors contributed to the vulnerability.

The lawsuit states: “The unauthorized actors targeted a trusted vendor’s application, leveraging the trust relationship to infiltrate TransUnion’s systems.”

Herships claims:

  • Negligence
  • Negligence per se
  • Breach of implied contract
  • Unjust enrichment

Both plaintiffs seek to represent nationwide classes of affected individuals and demand jury trials for compensatory, punitive, and nominal damages plus injunctive relief.

TransUnion Data Breach Exposes 4.4 Million Social Security Numbers, Two Class Action Lawsuits Filed, Here's What You Need to Know

Who Qualifies for the Class Actions?

You may qualify if you:

  • Are a U.S. resident
  • Had your personally identifiable information compromised in the July 28, 2025 TransUnion data breach
  • Received a written notice from TransUnion about the breach

Both lawsuits seek to represent all individuals in the United States whose personal and financial information was exposed.

What Compensation May Be Available?

While no settlement has been reached yet, successful data breach class actions typically provide compensation for:

Direct Financial Losses:

  • Out-of-pocket costs from identity theft
  • Fraudulent charges on accounts
  • Insurance deductibles
  • Credit repair expenses

Time and Effort:

  • Hours spent monitoring accounts
  • Time dealing with fraud
  • Effort freezing credit and disputing charges

Future Risk:

  • Credit monitoring services
  • Identity theft protection
  • Medical monitoring (if applicable)
  • Increased insurance premiums

Statutory Damages:

  • Violations of federal and state consumer protection laws often carry minimum statutory damages per violation

Past data breach settlements have ranged from $20-$160 per person for basic claims, with higher amounts for those who can document actual financial harm.

Current Status of Litigation

Attorney investigations completed: Multiple law firms finished investigating the breach and filed lawsuits

Lawsuits filed: Two class actions pending in U.S. District Court for the Northern District of Illinois

Class certification: Not yet determined

Settlement negotiations: Unknown at this time

Next steps: Discovery, class certification motions, potential settlement discussions

TransUnion has not admitted any wrongdoing.

What TransUnion Says

A TransUnion spokesperson told Bloomberg: “Upon discovery, we quickly contained the issue, which did not involve our core credit database or include credit reports.”

TransUnion stores financial data for more than 260 million Americans, making it one of the three major credit bureaus alongside Equifax and Experian.

The company has not received reports of identity theft or fraud related to this breach so far, though victims often don’t discover fraud until months or years later.

How to Know If You’re Affected

TransUnion is sending written notices by mail to all 4.4 million affected individuals. If you received a letter from TransUnion stating your information was involved in the data breach, you are affected.

Even if you haven’t received a notice yet, if you’ve ever contacted TransUnion’s consumer support operations, your information may have been compromised.

What You Should Do Right Now

1. Save your breach notification letter
 Keep any letter or email from TransUnion about the breach. This proves you’re a class member.

2. Place credit freezes immediately
 Contact all three credit bureaus:

  • TransUnion: 1-888-909-8872
  • Equifax: 1-800-685-1111
  • Experian: 1-888-397-3742

Credit freezes are free and prevent new accounts from being opened in your name.

3. Set up fraud alerts
 Place an initial fraud alert on your credit file. This requires lenders to verify your identity before opening new credit.

4. Monitor your credit reports closely
 Check your reports from all three bureaus at AnnualCreditReport.com. Look for:

  • Accounts you didn’t open
  • Inquiries you didn’t authorize
  • Address changes you didn’t make
  • Employment information that’s incorrect

5. Monitor financial accounts daily
 Review bank statements, credit card transactions, and investment accounts for unauthorized activity.

6. File your taxes early
 Tax identity theft is common after Social Security number breaches. File as soon as you have your W-2 to prevent fraudsters from filing fake returns in your name.

7. Document everything
 Keep records of:

  • Time spent dealing with the breach
  • Phone calls made
  • Letters sent
  • Fraudulent charges discovered
  • Credit monitoring costs
  • Any other out-of-pocket expenses

This documentation strengthens potential claims in the class actions.

8. Watch for phishing scams
 Scammers will use the breach to send fake emails or make calls pretending to be TransUnion or financial institutions. Never provide login credentials or personal data unless you verify the request directly.

9. Consider identity theft protection
 TransUnion is likely offering free credit monitoring to affected individuals. Review what’s included and sign up if beneficial.

10. Stay informed about the lawsuits
 Check for updates on the class action litigation. You don’t need to take action now, but you’ll want to know when claims can be filed.

The Serious Risks of Social Security Number Exposure

Social Security numbers are the “master key” to your identity. With your SSN, thieves can:

  • Open credit cards and loans
  • File fraudulent tax returns
  • Access medical care using your insurance
  • Commit crimes using your identity
  • Open utility accounts
  • Rent apartments
  • Apply for government benefits
  • Get driver’s licenses

Unlike credit card numbers that can be changed, you’re stuck with your Social Security number for life. This breach creates permanent identity theft risk.

Other Recent TransUnion Settlements

$23 Million Hard Inquiry Settlement

In February 2025, a federal court granted preliminary approval for TransUnion to pay $23 million to resolve claims it failed to remove disputed hard inquiries from credit reports between December 2016 and January 2025.

More than 485,000 consumers who received a “502 Letter” after disputing hard inquiries qualify for $20-$160 each. A final hearing was scheduled for July 2025.

$2.5 Million FCRA Settlement

TransUnion agreed to pay $2.5 million to settle claims it violated the Fair Credit Reporting Act by continuing to send consumer data to debt collectors after being told to stop.

Class members who had data sent to Portfolio Recovery Associates between January 20, 2021 and December 31, 2023 receive at least $40 each. The final approval hearing was December 15, 2025.

No claim form was required – eligible class members automatically receive payment.

How This Breach Compares to Others

Recent Major Data Breaches:

  • AT&T (2024): 73 million customers, settlement offering up to $5,000 per person
  • Equifax (2017): 147 million people, $425 million settlement with payments up to $20,000
  • Capital One (2019): 100 million customers, $190 million settlement
  • Marriott (2018): 500 million guests, settlement ongoing

TransUnion’s breach affecting 4.4 million people is smaller than some megabreaches but involves highly sensitive data from a credit bureau, potentially creating greater long-term risk.

What Legal Experts Say

Data breach class actions can take 2-5 years to resolve. The litigation process typically involves:

Year 1-2: Class certification battles, discovery, expert reports
Year 2-3: Summary judgment motions, settlement negotiations
Year 3-5: Trial preparation or final settlement approval

Cases involving Social Security number breaches tend to settle for higher amounts because the data can’t be changed and creates permanent risk.

Multiple law firms including DiCello Levitt LLP, Stueve Siegel Hanson LLP, Laukaitis Law LLC, and others are representing plaintiffs.

State Attorney General Investigations

TransUnion filed breach notices with multiple state attorneys general offices including:

  • Maine Attorney General
  • Texas Attorney General

These offices may launch independent investigations or enforcement actions beyond the class action lawsuits.

The Salesforce Connection

This breach was part of a broader Salesforce exploit affecting multiple major companies:

  • Farmers Insurance
  • Allianz Life (1.4 million customers)
  • Christian Dior
  • Louis Vuitton
  • Qantas

More than 70 lawsuits have been filed following the Salesforce breach across affected companies.

Why TransUnion’s Breach Is Especially Concerning

TransUnion isn’t just any company – it’s one of three gatekeepers controlling Americans’ access to credit, housing, employment, and more. The company:

  • Stores data on 260+ million Americans
  • Influences mortgage approvals
  • Affects job applications
  • Determines insurance rates
  • Controls access to rental housing
  • Impacts loan interest rates

When a credit bureau suffers a breach, the consequences multiply because credit data touches every aspect of financial life.

What Happens Next

Short Term (Next 3-6 months):

  • Class certification motions filed
  • Discovery begins
  • Court rules on whether cases proceed as class actions

Medium Term (6-18 months):

  • Expert testimony on breach causes and damages
  • Settlement negotiations likely begin
  • Possible preliminary settlement approval

Long Term (1-3 years):

  • Final settlement approval or trial
  • Claims process opens for class members
  • Payments distributed

Based on typical data breach litigation timelines, affected individuals probably won’t see compensation until late 2026 or 2027 at the earliest.

Your Legal Rights

You have the right to:

  • Join the class action without taking any action now
  • Opt out and pursue individual legal action (though this is rarely beneficial)
  • Object to any proposed settlement if you believe it’s inadequate
  • File a complaint with the FTC at IdentityTheft.gov
  • Report the breach to your state attorney general

Most affected individuals benefit most by staying in the class and documenting their losses carefully.

Frequently Asked Questions

Do I need to do anything right now to join the lawsuit?

No. If you received a breach notice, you’re automatically part of the class unless you opt out. You don’t need to hire a lawyer or file paperwork at this stage.

When will I receive compensation?

Not for 1-3 years. Data breach class actions take time. Watch for notices about settlement approval and claims periods.

How much money might I receive?

It depends on the settlement amount and number of claimants. Basic claims in data breach settlements typically range from $20-$160. If you can document actual fraud losses, you may receive more.

What if I haven’t experienced fraud yet?

You can still participate. Courts recognize the increased risk of future identity theft. Keep monitoring your accounts and credit reports.

Do I need to accept TransUnion’s free credit monitoring?

This is separate from the lawsuit. You can accept their monitoring offer and still participate in the class action.

What if I already have credit monitoring?

Document the cost. You may be able to seek reimbursement through the settlement for monitoring services you purchased.

Can I sue TransUnion separately?

You can opt out of the class action, but this is rarely advantageous unless you have significant documented damages. Individual lawsuits are expensive.

Will this affect my credit score?

The breach itself won’t affect your score. However, if identity thieves open fraudulent accounts, that could impact your credit until resolved.

What if I discover fraud months from now?

Keep documentation. Future fraud may still be compensable under the settlement depending on its terms.

Is TransUnion still safe to use?

The company claims to have contained the breach and states its core credit database wasn’t affected. However, you should monitor all three bureaus closely.

What if I never contacted TransUnion’s support team?

If you received a breach notification, your data was exposed regardless of whether you remember contacting support.

Can I get compensation for the time I spent dealing with this?

Potentially. Many data breach settlements compensate for time spent monitoring accounts, making calls, and protecting your information. Track your time carefully.

Important Reminders

  • Save all breach notifications from TransUnion
  • Place credit freezes with all three bureaus immediately
  • Monitor your credit reports and financial accounts regularly
  • Document all time and expenses related to the breach
  • Watch for updates about the class action lawsuits
  • Be alert for phishing scams exploiting the breach
  • File your taxes early to prevent tax identity theft
  • You don’t need to take legal action now – wait for settlement notices
  • Keep records of everything for potential claims

This article provides general information about the TransUnion data breach and class action lawsuits. It is not legal advice. For specific legal guidance, consult an attorney specializing in data breach litigation.

About the Author

Sarah Klein, JD

Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah

Leave a Reply

Your email address will not be published. Required fields are marked *