The Website Planet ran a web-mapping project in the country.
Website Planet uncovered unprotected AWS S3 data buckets belonging to a Nigerian state health agency on April 3 while working on a web mapping project. These buckets included identification documents and images of people who had registered with the service, totaling around 45 GB and 75,000 entries on an estimated 37,000 people. The buckets had been live and being updated since January 2021 when they were discovered. The Plateau State Contributory Healthcare Management Agency (PLASCHEMA) was established in September 2020 by the state’s governor, Simon Bako Lalong, with the goal of provide affordable and convenient healthcare to Plateau state’s citizens.
Website Planet notified the Nigerian authorities of the exposed data buckets on April 5. However, according to Website Planet, the data buckets were still active and unprotected as of late July. If malevolent actors discovered the data before they were safeguarded is unknown. “The longer it was left open, the more probable it may be caught by malicious parties,” the representative said. The buckets’ personal data could be utilized for identity theft in order to open fake bank and credit accounts on social media. Fabong Yildam, director general of PLASCHEMA, denied any data breach or exposure in a news conference on July 23, a few days after the open buckets were secured.
The incident is an example of the cybersecurity issues in Nigeria.
Sadly, this situation is indicative of Nigeria’s pervasive cybersecurity problems, where regulations are ineffectual, unethical behavior is ubiquitous, and public notifications of security breaches are frequently tardy and insufficient. Confidence Staveley, a Nigerian security analyst and executive director of Cybersafe Foundation, a security consultancy and advocacy group, claims that “many organizations in developed countries communicate when they have cases of cyberattacks, which encourages cyber-resilience and widespread incident response.” “Back here, however, we observe that usually, a lot of organizations categorically deny the incidents of cyberattacks and data breach incidents, even in the presence of indisputable evidence that they greatly downplay the incident,” the author writes.
Two significant Nigerian banks were said to have experienced data breaches in August 2020, exposing the financial information of their clients. Days later, neither bank reacted, and when they did, their press statements were evasive, neither denying nor acknowledging the existence of any data breach. Early in July, independent Nigerian journalist David Hundeyin also revealed the potential breach of emails belonged to the Lagos state administration and their sale on the underground market. In response to Hundeyin’s allegations, the Lagos state government and Nigeria’s cybersecurity organizations stayed silent, neither commenting nor disputing the claimed intrusion.
Regulations and guidelines have been established by the NITDA.
The National Information Technology Development Agency (NITDA) of Nigeria, which is in charge of cybersecurity and data protection, has established rules and guidelines requiring businesses that handle personal data to be secure in their collection, processing, and storage of that data and to conduct yearly data security audits. Personal data must be treated in a way that ensures proper security, including defense against unauthorized or unlawful processing, access, and loss, according to the 2020 Data Protection Bill. However, in reality, data collection and processing in Nigeria continue to be largely unmonitored, and protection is frequently a secondary concern. Sensitive information, including addresses, phone numbers, financial information, and even identification numbers, are requested in lines in shopping centres, and office reception areas even though they are not required and are open to anyone with enough curiosity to look up the frequently public records.
Because cybersecurity events can be highly unique, Nigeria’s cybersecurity and data protection rules must have personnel who can make choices about each occurrence and clearly communicate with the media. This is far from being active according to the National Information Technology Development Agency. In the event that an organization is determined to have compromised or abused personal data, NITDA may levy a punishment of up to 10 million naira ($23,647) or 2% of the company’s annual revenue, whichever is higher. Nevertheless, the agency has neglected to issue a press statement or make an effort to communicate despite news reports about the PLASCHEMA breach. It also declined to comment on WIRED’s numerous requests for it.
The lack of communication creates a severe lack of trust and capacity.
By failing to communicate, these organizations deprive their clients and other stakeholders of the knowledge they need to protect themselves as well as the opportunity to offer anyone exposed by a potential breach useful advice. According to Staveley, poor cybersecurity practices and a lack of communication impair data protection and cybersecurity in Nigeria and foster a significant lack of competence. According to Staveley, who has worked and provided cybersecurity consultations to a number of banks and government organizations, many IT infrastructure and data operations in Nigeria do not take security and protection into account. Organizations don’t even comprehend the burden that data collection carries. They don’t fully take into account encryption and security in their data pipelines because they don’t view the data they collect as something that needs to be secured.
The content on AskNigeria.com is given for general information only and does not constitute a professional opinion, and users should seek their own legal/professional advice. There is data available online that lists details, facts and further information not listed in this post, please complete your own investigation into these matters and reach your own conclusion. AskNigeria.com accepts no responsibility for losses from any person acting or refraining from acting as a result of content contained in this website and/or other websites which may be linked to this website.
Fact Checking Tool – Snopes.com
It is to everyone’s benefit that something like this was established with the goal of offering Plateau state residents healthcare that is both inexpensive and easy to get.
It is to everyone’s advantage that the private information associated with The Buckets might be used for identity theft in order to set up phony bank and credit accounts on social media.
This incident is symptomatic of Nigeria’s systemic cybersecurity issues, such as ineffective regulation, widespread unethical activity, and inadequate or delayed public notice of security breaches.
Addresses, phone numbers, financial information, and even identity numbers are requested in shopping mall and office reception lines, even though they are not required and are often public records.
Many businesses in industrialized nations share information about cyberattacks as they occur, fostering cyber-resilience and incident response across the board.
This issue is representative of the widespread cybersecurity vulnerabilities that exist in Nigeria, where rules are ineffective and unethical conduct is prevalent across the country.
The public is often not notified of security breaches in a timely manner, and such warnings are often inadequate. However, this new breakthrough may could assist with that.
According to the security consultant and advocacy group, cyber-resilience is fostered when businesses in industrialized nations share information about cyberattacks with one another. This is an approach that should be used in Nigeria.
It would be beneficial if personal information was required to be handled in a manner that guarantees adequate security, including protection against illegal or unauthorized processing, access, and loss.
Companies have no idea how much work data acquisition really is. They don’t see the data they’re collecting as something that has to be protected, therefore they don’t give it any thought while designing their data pipelines.
Personal data and other valuable information are something that should be strongly safeguard but unfortunately here in Nigeria it is not of paramount which is why cybercrime and online breach is prevalent.
There is great threat to cyber security in Nigeria and government need do more to secure and safeguard data’s and it’s operations inorder to reduce cyber crime
Our cyber security need to be strong we need to improve it to help protect our value data and make it privacy. Safeguard of data is very important and prevent cyber crime also
Sadly, this situation is indicative of Nigeria’s pervasive cybersecurity problems, where regulations are ineffectual, unethical behavior is ubiquitous, and public notifications of security breaches are frequently tardy and insufficient.
Unfortunately, this circumstance is a sign of Nigeria’s widespread cybersecurity issues, where laws are ineffective, unethical behavior is endemic, and public notifications of security breaches are usually delayed and insufficient.
Lack of trust is exposing most of our companies to data breach. They are experiencing many cyber security challenges but have failed to reality of it believe that protecting the company image and reputation.
Most companies in Nigeria will not want to expose the incompetence of their companies in handling people’s data and as such will not want share the experience with cyber security challenges.
Well everything in Nigeria is not normal. security problem in Nigeria both in cyber. I just pray we get it right in 2023
This will really change the landscape of cyberspace in the country.
Lack of communication has created amd resulted in severe lack of trust and capacity. poor cybersecurity practices and a lack of communication impair data protection and cybersecurity in Nigeria has foster a significant lack of competence