The Hackers Are Back
Just when you thought it was safe to go back to your credit bureau…
On March 17, 2022, credit bureau TransUnion released a statement saying it had been hacked, and that 54 million South African records were under potential threat as result.
Technology site ITWeb reported that the hackers were apparently a Brazilian group called N4aughtysecTU, who gained access to TransUnion’s server by misusing an authorised client’s credentials.
(Some reports claimed the client in question’s password was “Password,” but this has not been reliably confirmed).
The hackers reportedly said they had four terabytes of client information (including that from over 200 corporates) and threatened to attack those corporate clients if TransUnion didn’t cough up $15 million in Bitcoin.
TransUnion confirmed it had received “an extortion demand” but that it “would not be paid.”
Instead, it immediately suspended the compromised client’s access, engaged cybersecurity and forensic experts, and began investigating the breach.
In the few days since then, events have taken an interesting turn.
A scant 24 hours after the initial report of the hack was released, TransUnion told Fin24 that “We believe the 54 million records relate to a 2017 data incident unrelated to TransUnion,”
They are not denying the hack, only that reports of the massive data theft are not related to the incident.
This is an ongoing story which we will follow closely.
But whatever the eventual situation turns out to be, the fact remains:
Every company that holds personal information is a potential target – and credit bureaus in particular appear to be easy pickings.
I’m sure you all remember the Experian data breach back in 2020, which potentially exposed 24 million South Africans’ information. The following year, Debt-IN Consultants, a debt recovery partner to many South African financial services institutions, received a ransomware attack that resulted in the illegal access of over 1.4 million South Africans’ data.
One of the biggest problems is that, while credit unions take considerable precautions to safeguard their customers against these kinds of attacks, they can’t defend themselves against every eventuality.
Why?
Because they simply don’t know what they don’t know. And you can’t protect yourself against what you don’t know.
Allow me to digress from credit bureaus for a moment…
In 2002, when asked about the lack of evidence to support the assertion from the White House that Iraq was supplying weapons of mass destruction to terrorist groups, former US Secretary of Defence, Donald Rumsfeld, said, “There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don’t know. But there are also unknown unknowns. These are the things we don’t know we don’t know.”
Widely referred to as the worst Defence Secretary in US history, Rumsfeld is generally regarded as one of the main architects of America’s wars in both Iraq and Afghanistan.
But whatever your opinions on US politics, or about Donald Rumsfeld himself, his statement is undeniably thought provoking and profound.
It is also 100 percent accurate.
There are indeed “unknown unknowns” – those things that we simply don’t know we don’t know.
Here’s the uncomfortable truth:
As human beings, we simply don’t know as much as we think we do.
Repeated studies have shown that, when we’re asked to explain how everyday things work – things that most of us feel certain we understand – we are simply unable to do so.
An article in the Harvard Business Review asked its readers to describe the workings of a familiar object – a toilet, for example, or a music speaker. What initially sounded like a simple task soon became tricky when people realised that using something every day – even, in some cases, multiple times a day – by no means guarantees that we actually know how it does the things it does.
This is when we realise there are unexpected – and admittedly unwelcome – gaps in our knowledge.
Psychologists like to call this the “illusion of explanatory depth.” In other words, a type of cognitive barrier that tricks us into thinking we fully understand something we actually don’t.
It’s the same with words.
As businesspeople, we love to throw around the latest buzzwords and jargon to make us sound like subject matter experts.
And in many cases, that’s exactly what we are – but it’s not the buzzwords that make us so.
Nevertheless, we enthusiastically use these words even though we’re more than a little vague on what their meanings truly are.
Of course, in some cases, people who aren’t experts in their field but want to appear to be, use these same buzzwords in an attempt to cover up gaps in their expertise. The words act as bridges across chasms between what they genuinely do know, and the concepts they simply don’t understand.
The same article in the Harvard Business Review cites the example of a corporate meeting in which the term “streamlining business practices” was used quite regularly. Eager-to-please executives nodded in agreement, but after the meeting were overheard asking each other exactly what it meant to streamline a business, and what that would actually look like in practice.
Unfortunately, there are instances where what we don’t know we don’t know can have far more serious ramifications than a few non-plussed business executives trying to decode unfamiliar jargon.
The financial crash of 2007/8 is a classic case in point.
The profound misunderstanding of complex financial products directly contributed to the devastating market collapse.
Because so few people had any kind of comprehension about the nature of the products being sold, investment banks were left completely exposed, unable to protect themselves when the proverbial hit the fan.
The huge knowledge gaps displayed by companies like AIG about the riskiness of the products they were insuring was to prove catastrophic.
This is what can happen when we don’t know what we don’t know.
So how do these types of cognitive barriers play out in the credit and finance sectors?
Every one of the 25 million or so credit active consumers in South Africa has a profile with a credit bureau. And every one of those 25 million people will have submitted the information required to complete that profile before they can be recommended to financial institutions for the lines of credit they’ve requested.
But this is where things start to get a little uncomfortable for the credit bureaus.
Why?
Because South Africa has the third highest incidence of credit fraud in the world.
Which means, somewhere along the line, the information submitted by some of those 25 million people was a little economical, truth wise.
The problem is – and I say this with all due respect, and with an appreciation for the complexity of the work – credit bureaus have certain parameters in which they operate, and specific information they require.
As a con artist or fraudster, if you know exactly what the credit bureaus are looking for, and can present it in a way that looks believable, the chances are you will be believed. When you offer up exactly what is expected, no red flags are raised.
It’s like bringing in more bottles of perfume than you’re allowed duty free after a shopping spree at Dubai airport. If you declare four bottles to the customs officials, why would they think to ask you about the other 20 you have hidden in your suitcase?
They don’t know you have them, and they don’t know what they don’t know.
And when you hide in plain sight something people don’t expect to see, the chances are they won’t see it.
There’s a fascinating experiment that illustrates this to a tee, and I’ll share it with you my next article.
Until then, be aware, be vigilant, and be safe.