Website Planet uncovered unprotected AWS S3 data buckets belonging to a Nigerian state health agency on April 3 while working on a web mapping project. These buckets included identification documents and images of people who had registered with the service, totaling around 45 GB and 75,000 entries on an estimated 37,000 people. The buckets had been live and being updated since January 2021 when they were discovered. The Plateau State Contributory Healthcare Management Agency (PLASCHEMA) was established in September 2020 by the state’s governor, Simon Bako Lalong, with the goal of provide affordable and convenient healthcare to Plateau state’s citizens.
Website Planet notified the Nigerian authorities of the exposed data buckets on April 5. However, according to Website Planet, the data buckets were still active and unprotected as of late July. If malevolent actors discovered the data before they were safeguarded is unknown. “The longer it was left open, the more probable it may be caught by malicious parties,” the representative said. The buckets’ personal data could be utilized for identity theft in order to open fake bank and credit accounts on social media. Fabong Yildam, director general of PLASCHEMA, denied any data breach or exposure in a news conference on July 23, a few days after the open buckets were secured.
The incident is an example of the cybersecurity issues in Nigeria.
Sadly, this situation is indicative of Nigeria’s pervasive cybersecurity problems, where regulations are ineffectual, unethical behavior is ubiquitous, and public notifications of security breaches are frequently tardy and insufficient. Confidence Staveley, a Nigerian security analyst and executive director of Cybersafe Foundation, a security consultancy and advocacy group, claims that “many organizations in developed countries communicate when they have cases of cyberattacks, which encourages cyber-resilience and widespread incident response.” “Back here, however, we observe that usually, a lot of organizations categorically deny the incidents of cyberattacks and data breach incidents, even in the presence of indisputable evidence that they greatly downplay the incident,” the author writes.
Two significant Nigerian banks were said to have experienced data breaches in August 2020, exposing the financial information of their clients. Days later, neither bank reacted, and when they did, their press statements were evasive, neither denying nor acknowledging the existence of any data breach. Early in July, independent Nigerian journalist David Hundeyin also revealed the potential breach of emails belonged to the Lagos state administration and their sale on the underground market. In response to Hundeyin’s allegations, the Lagos state government and Nigeria’s cybersecurity organizations stayed silent, neither commenting nor disputing the claimed intrusion.
Regulations and guidelines have been established by the NITDA.
The National Information Technology Development Agency (NITDA) of Nigeria, which is in charge of cybersecurity and data protection, has established rules and guidelines requiring businesses that handle personal data to be secure in their collection, processing, and storage of that data and to conduct yearly data security audits. Personal data must be treated in a way that ensures proper security, including defense against unauthorized or unlawful processing, access, and loss, according to the 2020 Data Protection Bill. However, in reality, data collection and processing in Nigeria continue to be largely unmonitored, and protection is frequently a secondary concern. Sensitive information, including addresses, phone numbers, financial information, and even identification numbers, are requested in lines in shopping centres, and office reception areas even though they are not required and are open to anyone with enough curiosity to look up the frequently public records.
Because cybersecurity events can be highly unique, Nigeria’s cybersecurity and data protection rules must have personnel who can make choices about each occurrence and clearly communicate with the media. This is far from being active according to the National Information Technology Development Agency. In the event that an organization is determined to have compromised or abused personal data, NITDA may levy a punishment of up to 10 million naira ($23,647) or 2% of the company’s annual revenue, whichever is higher. Nevertheless, the agency has neglected to issue a press statement or make an effort to communicate despite news reports about the PLASCHEMA breach. It also declined to comment on WIRED’s numerous requests for it.
The lack of communication creates a severe lack of trust and capacity.
By failing to communicate, these organizations deprive their clients and other stakeholders of the knowledge they need to protect themselves as well as the opportunity to offer anyone exposed by a potential breach useful advice. According to Staveley, poor cybersecurity practices and a lack of communication impair data protection and cybersecurity in Nigeria and foster a significant lack of competence. According to Staveley, who has worked and provided cybersecurity consultations to a number of banks and government organizations, many IT infrastructure and data operations in Nigeria do not take security and protection into account. Organizations don’t even comprehend the burden that data collection carries. They don’t fully take into account encryption and security in their data pipelines because they don’t view the data they collect as something that needs to be secured.
Related Link
CEIP: Website
