On April 3 this year, Website Planet was running a web-mapping project when it discovered unsecured AWS S3 data buckets belonging to a state health agency in Nigeria.
These buckets contained some 75,000 entries on an estimated 37,000 people, about 45 GB in all, including identification documents and photos of people registered with the agency. The buckets dated from January 2021 and they were live and being updated at the time of discovery.
The agency, known as the Plateau State Contributory Healthcare Management Agency (PLASCHEMA) had been launched in September 2020 by the state’s governor, Simon Bako Lalong and it was geared towards providing cheap and accessible healthcare for residents of Plateau state.
On April 5, Website Planet contacted Nigerian authorities informing them of the exposed data buckets. But Website Planet says the data buckets remained live and unsecured until late July. It’s unknown if malicious actors found the data before they were secured. According to the spokesperson, “The longer it was left open, the more likely it could be caught by malicious parties.”
Personal information in the buckets could be exploited for identity theft which could be used to open social media and virtual bank or credit accounts.
On July 23, days after the unsecured buckets were locked down, Fabong Yildam, director general of PLASCHEMA denied any data breach or exposure in a press conference.
As a sad development
The incident, sadly, is typical of widespread cybersecurity issues in Nigeria where regulations are ineffective, bad practices run rampant, and public disclosures of security breaches are often slow and insuffient.
“Many organisations in developed countries communicate when they have cases of cyberattacks, which encourages cyber-resilience and widespread incident response,” says Confidence Staveley, a Nigerian security analyst and executive director of Cybersafe Foundation, a security consultancy and advocacy group.
“Back here, however, we see that generally, a lot of organisations absolutely deny the occurrence of cyberattacks and data breach incidents, even in the presence of undeniable evidence that they drastically play down the incident.”
In August 2020, two major Nigerian banks were reported to have suffered data breaches, exposing the financial details of their customers. Neither bank responded until days later, and then their press releases were vague, neither denying nor admitting to the occurrence of any data breach.
Early in July, David Hundeyin, an independent Nigerian journalist, also reported a possible compromise of emails belonging to the Lagos state government and the sale of these emails in the dark market. The Lagos state government and Nigeria’s cybersecurity agencies remained quiet over Hundeyin’s claims, neither responding nor denying the alleged breach.
Poor response mechanism
By not communicating, these agencies fail to equip their customers and other stakeholders with the information they need to protect themselves and provide actionable advice to anyone exposed by a potential breach.
The lack of communication, Staveley says, along with many bad cybersecurity practices, undermines cybersecurity and data protection in Nigeria, and creates a severe lack of trust and capacity.
Many IT infrastructure and data processes in Nigeria do not factor in security and protection, says Staveley, who’s worked and consulted with various banks and government agencies in a cybersecurity capacity. “Organisations do not even understand the weight that comes with collecting data. They do not see the data they collect as something that needs to be protected, and so they don’t thoroughly consider encryption and security in their data pipelines.”
A challenge forr NITDA
Nigeria’s National Information Technology Development Agency (NITDA) is in charge of cybersecurity and data protection, and it has established regulations and guidelines requiring organisations that process personal data to be secure in collecting, processing and storage of that data and to perform data security audits annually.
The 2020 Data Protection Bill also states that personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and access against loss.”
In practice, however, data collection and processing in Nigeria remains largely unmonitored and protection is often an afterthought. Sensitive data such as addresses, mobile numbers, financial details and even identification digits are asked for in queues, malls, and office receptions, places where such data are not necessary and where they are left accessible to anyone with enough curiosity to check the often public records.
“Most people do not even know the importance of their personal data and no one bothers to tell them that it’s important,” says Staveley.
There’s also a talent-retention problem, mainly due to poor remuneration and the lack of value placed on the work of cybersecurity specialists. According to a mail exchange between Website Planet and a spokesperson for Nigeria’s Computer Emergency Response Team obtained by WIRED, PLASCHEMA seemingly lacked the access or technical expertise to fix the problem immediately. “The organisation seems not to have the technical ability to remediate the incident promptly.
“We don’t appreciate cybersecurity in this country, for now,” says Moses Joshua, a cybersecurity specialist and founder of Diary of Hackers, a cybersecurity community that, among many other things, tells the stories of hackers. Due to problems with compensation and the lack of tools and incentives needed to perform properly, cybersecurity professionals find it hard to work for Nigerian firms or organisations.
“It’s hard to find a veteran hacker working for Nigerian firms. At most, they’re used as transitions to gain experience and once they get like two to three years of experience, they leave. It makes no sense to stay in a place where you’re paid less, there’s little to no career projection and you have limited access to important trade tools,” Joshua says. This leads to a lack of cybersecurity talent, but also a darker shade of the same problem. It means available talent has a shallow knowledge of the industry because many do not stay long enough to learn. It means every generation has to start over.
This problem spills over to tech talent generally. In recent times, as remote work has become more and more acceptable, retaining tech talent has been harder for local firms and organisations, as they’re forced to compete with bigger corporations who can pay more and offer better career paths. This is a significant problem, especially for startups. But those most affected are firms and organisations with little to zero international prospects, such as Nigerian banks.
Cybersecurity, in some ways, can also be cost-prohibitive. To businesses and organisations who already have problems surviving in Nigeria’s economic downturn, security and proper data protection is seen as a luxury many cannot afford.
“It costs money to hire professionals and actually prioritise security instead of paying lip service. With the current economy, it sometimes can be like asking the organization to choose between security and survival,” says Stavaley.
Nigeria has one of Africa’s best cybersecurity and data protection policies, but that fails to translate into action. Many organisations only pay lip service to security and the absence of an active and communicative authority figure allows many excesses.
Nigeria’s cybersecurity and data protection policies are abstract, and because cybersecurity incidents can be very specific, they require people who can make decisions over each incident and clearly communicate with the media. The National Information Technology Development Agency is far from active. If an organisation is investigated and found at fault for jeopardising or abusing personal data, NITDA can impose a fine equivalent to two percent of the company’s annual turnover or 10 million naira ($23,647) for a data breach, whichever is greater. However, despite news coverage of the PLASCHEMA breach, the agency has yet to put out any press release or attempt to communicate. It also did not respond to WIRED’s multiple requests for comment.
In Nigeria, specific loopholes in the burgeoning use of POS and electronic transactions are leaving many people vulnerable to incidents that sometimes mean loss of money. It’s one of Nigeria’s most pressing cybersecurity issues, cumulatively responsible for more than 60 percent of financial fraud in 2020. Yet it remains unattended to by both financial and cybersecurity authorities.
Accounts of more attacks
In April, Nigerian betting platform Bet9ja suffered a ransomware attack from BlakCat. In May, barely days after launching in Nigeria, MoMo Payment Service Bank suffered a breach that reportedly led to $53 million in losses. In a more parallel case, in 2019, the Lagos Internal Revenue Service (LIRS) was accused of exposing personal data online through its web portal and was fined 1 million naira by NITDA. According to a 2022 report by Sophos, 71 percent of Nigerian organisations were hit by ransomware in the past year, yet some of Nigeria’s worst cybersecurity incidents are still not reported.
Nigeria’s cybersecurity problem reaches both public organisations and private corporations, but corruption, tardiness, and bureaucracy can exacerbate the problem in public organizations. Leaving a data bucket containing crucial personal information misconfigured and unsecured can happen due to human mistakes. But the long days between contact, response, and action and the obvious lack of communication reflects a negligent attitude toward cybersecurity in Nigerian government organizations.
Metro
