An Unauthorized Charge From TransUnion: Was My Identity Stolen?

Advertiser Disclosure This article/post contains references to products or services from one or more of our advertisers or partners. We may receive compensation when you click on links to those products or services.
Last updated on June 24, 2016 Views: 697 Comments: 19

Earlier this year, the university where I studied as an undergraduate, the University of Delaware, announced that the school had been the victim of a security breach. The announcement indicated that personal information of anyone who had been on the university’s payroll might be compromised, and those who were compromised would receive a letter from the university.

I worked for no more than twelve weeks in one of the university’s libraries no later than 1998. I couldn’t believe that the university would maintain a digital database of payroll records fifteen years old, so I didn’t pay too much attention to the breach. Months later, I found out that the university did send a letter to an old address, and my Social Security number may have been compromised. The university partnered with an identity protection service called ID TheftSmart, and the letter suggested I enroll in the program, and that the cost of enrollment would be nothing for three years.

ID TheftSmart is a product offered by Kroll. This service and similar services offered by other companies monitor credit reports from one or more of the credit reporting bureaus, and the company will alert owners who are enrolled in the program if there are any changes to the credit report. It’s a decent way to see, after the fact, if anyone has used your information to open new credit lines.

I don’t think these programs are worth the cost. A much better option, if you believe your credit is or will be compromised, is to put an initial fraud alert on your credit. It’s free, and once you enable the alert with one bureau, the other two bureaus will also enable alerts within twenty-four hours. Did I mention it’s free? The alert remains on file for 90 days.

Nevertheless, I took no action on the news that I was one of the thousands of former university employees whose information might have been compromised. The risk seemed pretty low to me, at least until I next tried to verify my personal identity using information from my credit report.

Last week, I began my application for health insurance coverage through the national exchange put into place by the Affordable Care Act. Thanks to Obamacare, I should be able to reduce my insurance bill from the more than $700 per month I’m paying for insurance for myself through COBRA to a more reasonable amount for the same type of service. In order to see options within the exchange, interested users must verify their identity, and I wasn’t able to do so.

The typical process for identity verification using information from credit reports involves four of five multiple-choice questions, where the questions and potential answers are drawn from past addresses, phone numbers, employers, and loans. Every so often, there is a “trick question;” one of the questions does not have any correct responses or the question would not be applicable.

For example, one trick question I might see might be stated as follows: “In 2008, you opened a mortgage. Which bank services the mortgage?” The choices would be four banks I may or may not have experience with, or “none of the above.” Because I never opened a mortgage, and because that fact would be clear from my credit report, the correct answer is “none of the above.”

Usually, I’ve seen no more than one of these trick questions in the identity verification challenge. But when I tried verifying my identity for the health insurance exchange, there were two. I answered all questions accurately, but the system could not confirm my identity. I tried again, with five new questions. Again, three were from real information in my credit history, and two were trick questions. Again, the identity verification failed.

The federal health insurance exchange offers an alternative method for confirming identity: uploading documents, like birth certificates, Social Security cards, driver licenses, and other items with personal information. Because the site was overwhelmed by traffic and the website administrators might still be working out bugs, I was unable to upload my documents right away, and my application remained incomplete.

It worried me that I was not able to verify my identity. Maybe it was another bug on the website, but maybe there’s a problem with one of my credit report. Perhaps my personal information really was compromised due to the data breach at the University of Delaware. I started investigating the issue myself.

I first tried to order free credit reports from I tried Experian first — and after answering identity verification questions, I received a message saying Experian would not be able to provide my credit report online, and that I should call a number. I called, but it was after hours, so there was no response. I started the process again, selected Equifax, but yet again something prevented me from ordering my credit report online.

At this point, I decided I needed to do something more, so I looked at the service the University of Delaware was offering, ID TheftSmart. The pamphlet provided with the letter from the university indicated the service would be free for three years, so I enrolled.

Yesterday, when checking my recent credit card activity, I saw a recent charge for $16.95 from TransUnion. The charge was on the same day as my ID TheftSmart enrollment, but I did not interact with TransUnion, nor did I give my credit card number in the enrollment process. The phone number associated with the credit card charge is 800-493-3292, and I called the number this morning. I expected them to say that this charge was related to my enrollment in ID TheftSmart, but they didn’t; apparently the charge was for a service initiated in mid-September for someone with a different name. Someone named Brenda used my credit card number to enroll in a credit service directly with TransUnion.

With this information, there were four actions I needed to take, which I was able to complete within a span of about thirty minutes:

  • I began the process of getting a refund from TransUnion. This is unfortunately not a very quick process. TransUnion must mail me some kind of form I need to complete and send back before they can issue a refund. The process must be in place to prevent people from requesting refunds illegitimately.
  • I added an initial fraud alert to my credit report. I called the TransUnion fraud department, as instructed by the first TransUnion customer service representative. I enabled the fraud alert with TransUnion, and Experian and Equifax should also reflect a fraud alert within twenty-four hours. That means that if my information is used to open any new credit lines within the next 90 days, the opening will not be permitted without a phone call to me for verification.

    Interestingly, the fraud department indicated the number I dialed initially was not a real TransUnion number, and that the correct number is 800-493-2392 (note the transposition of the 2 and 3). After the call with the fraud department, I called the correct number. Both numbers go to the same company; they both seem to be correct, despite the scare provided by the fraud department.

  • I change my credit card number. The credit card affected was the only personal card I use regularly — my Chase United MileagePlus Explorer card. I informed the Chase customer service representative that my credit card number appears to have been used by someone I don’t know without my authorization, and that there was one charge I’d like to dispute. The dispute process is now underway, and Chase is sending a new card with a new number via overnight UPS service. I immediately canceled my current credit card number.
  • I ordered my free credit report. Although I was unable to order my free credit report online from Equifax and Experian, I was able to order one from TransUnion (via, naturally). There was nothing out of the ordinary on this report. There were no unknown addresses and no unknown accounts, new or old. This gave me more confidence that my identity had not been compromised — just my credit card number.

Another action I will take is to check the recent activity in my other credit cards. I have other open credit cards that I haven’t used in years, and it’s possible, if this person truly got a hold of one of my credit card numbers, that she might have others. At times like this, having a simplified personal finance system, with only a few bank accounts, comes in handy; I, on the other hand, have many open accounts thanks to my dedication to writing reviews for Consumerism Commentary.

Here’s what I should have done: At the moment I heard that my personal information was likely breached at the University of Delaware, I should have initiated fraud alerts with the credit reporting agencies. I should have ignored the free offer for third-party credit monitoring.

I’ll continue to monitor my financial accounts to ensure no other information has been compromised. I was ready to assume that this TransUnion charge was just a case of ID TheftSmart not disclosing that TransUnion would be charging me a fee, but with the knowledge that the charge was placed by somebody with a different name for a service that started several weeks ago, it’s clear this was purely a case of someone else using my credit card number. Perhaps the trouble I had confirming my identity for health insurance was just a coincidence.

Article comments


Please unsubscribe my name from TU*TRANSUNION NOW. I do not want your service and want you to return my $19.95 to my credit card. I did not give you permission to take money from my account. If it is not returned, I will have to take action.
Judy Barnes

SLC says:

I don’t remember enrolling in Tran Union but called about a recurring charge of $19.95. When they investigated the charge they said someone named Ken Lane had used it and they would refund all the charges and that I should call a number to add an initial fraud alert to my credit report.

When I called the number, the automated system wanted me to enroll in protection plan (?!). Is it possible that they are creating a need for their services?

Anonymous says:

My fiancé was charged by transunion today, we never even heard of it, he is canceling his card today, but will that stop who ever is doing this?

Anonymous says:

before i canceled my card, i had to pay for the payment that the hacker spend something on my account, after that my account is closed permanent. I think discover company got hack by hacker.

Anonymous says:

it seem like not much people have this problem, i has this issued twice now….1st time i called up and requested to cancel the transaction and new card, 2nd new card not arrive home and activate yet but i don’t know why they can still using my old card number …how can i solve this problem?

Anonymous says:

I have had my Debit card charged by Transunion on 2 different cards, and they always give me a fictitious name of who used it. Laura Horperp, is the name supposedly, but why would someone steal my numbers and sign me up for Transunion, I have contacted a class action Lawyer in New York City

Anonymous says:

I am actually dealing with this since February. Now it’s May! I called the number originally listed, right away they asked for my social, I did not feel comfortable with it, so I called my credit card company. They refunded me the money but couldn’t stop the charges even after I changed the card number! So I called a number listed directly on the TransUnion website, they said they couldn’t find any transactions they had towards me. On my statement, it displays a number linked to California, but when I called TransUnion they are located in Pennsylvania. I just recently began building my credit, the last thing I need is for my identity to be stolen.

Anonymous says:

Hi my name is Norma Martinez this morning about 5 o’clock in the morning Tran Union subscribe me without my consent … when I first signed up it took my debit reload Visa Card and told me I was decline few days later I was subscribed and they charged me $17 … SmH

Anonymous says:

The same thing happened to me! I ordered a credit report for $1.00, then I find out they are charging me $17 and change each month! I kept getting weird emals from Transunion, and if you hover your mouse over the link, it is NOT! It is this:

So I think they are scamming people!

Anonymous says:

Oh! I also checked the IP address on the header of the email they sent me, and it states it is from California, when’s website states they are from Pennsylvania! What a mess!

Anonymous says:

This is one of the reasons I don’t like credit cards. There is also a risk of fraud. If you only spend money that you have, then you will not have problems with this. You also don’t need to spend for security.

Anonymous says:

We’ve had the worst time with identity theft recently. Our old mortgage servicer had two breaches and only told us about one of them. All of a sudden, there was a barrage of activity; fake transfers from our checking account, attempts to open new accounts, and attempts to change our passwords and e-mail addresses on file with brokerage firms, the banks, and credit card companies. We changed every number and put a freeze on our credit report but it’s still a huge bother.

Luke Landes says:

That sounds like a terrible experience. I’ve been checking my accounts every day over these past few days. Thankfully, I haven’t seen anything else out of the ordinary.

Anonymous says:

I wouldn’t necessarily conclude that the U. Delaware breech had anything to do with it. Could very likely be pure coincidence. Petty identity theft like individual fraudulent credit card charges are actually extremely common. Some big companies or organization seem to have security breeches or and lose peoples personal information every other week. So its actually pretty likely that you’d have both of those things happen.

Luke Landes says:

Quite right. The Delaware security breach could be a separate incident from the unauthorized use of my credit card number. And both could be unrelated to the fact that I’ve had difficulty confirming my identity and ordering free annual credit reports. It’s a mess. I’m thankful for zero-liability policies, and I’m relieved no other accounts — and my credit history — seem to be compromised.

Anonymous says:

It is still possible of course that the U Delaware breech got your #’s out there somewhere…

I think sometimes those security breeches are nothing and nothing ever happened. e.g. A breech could be if some employee lost a laptop full of peoples SSN #’s but whoever found the laptop didnt steal all the #’s or even realize they were there. On the other hand sometimes hackers steal the SSN’s. Its impossible for us to know which breeches are really serious and which are just a potential risk.

For the longest time now one of the 3 credit bureaus hasn’t let me verify my identity on line and order the online free annual credit report. I can’t figure out why. My credit scores were all great last time we got a mortgage. I’ve finally decided to send in a paper form to request the records from the bureau in question.

Anonymous says:

Oh that would make me furious as well! I can’t believe the University of Delaware kept your records this long and left them vulnerable, and that all the things wrong keep piling on 🙁 I really hope this can be sorted with a minimum of additional fuss and bother.

Anonymous says:

That stinks that you might have been hit by fraud. I had a similar experience months ago and wrote about it on my blog. Make sure to keep an eye out as that first charge might have been a test before they try a big balance transfer.

Luke Landes says:

The whole thing angers me so much. I couldn’t sleep last night, not because I was worried about having to deal with potential fraud, but because someone or some company thinks they can take advantage of me. I have a big problem with this; if someone tried to take me for a fool, I get riled up and it makes me very upset. I’m better the next day, but it takes a while to completely recover. I take it too personally, as if someone wanted to target me because they thought I was vulnerable.