Cybersecurity: Personal data of Nigerians Exposed

ID Card of a Nigerian exposed. Photo: IT News Africa

A new report from the cybersecurity team of online resource supplier Website Planet indicates that a huge alleged security fault at Nigerian government healthcare organisation PLASCHEMA (Plateau State Contributory Health Care Management Agency) has exposed over 45GBs of personal data, over 75,000 files, from an estimated 37,000 people, IT News Africa Reports.

The massive oversight, according to Website Planet’s team, has left information such as ID cards – including full names, dates of birth, occupations, blood groups and even personal addresses, parents’ full names and registration details – birth certificates, personal photographs, identification for government officials and more, in the open online with no protection.

PLASCHEMA manages the Plateau State Universal Healthcare System, a program that is designed to bring affordable healthcare to the people of Plateau State, a region in Central Nigeria.

How the Alleged Information Exposure Was Found

According to the security team, 11 of PLASCHEMA’s Amazon Web Services (AWS) data buckets were left unsecured, without any authentication or encryption measures in place. The unprotected AWS buckets left thousands of files in the open, for anyone with the right know-how to access, at any time. Each of the unsecured buckets contained personal information belonging to PLACHEMA program applicants from a city in the Plateau State.

Birth certificate exposed. Source: IT News Africa

Checkout 4 Amazing Digital Marketing tips for high website conversion

Amazon is apparently not responsible for any of the security measures at the Nigerian organisation.

A government official ID card which was allegedly found in the open buckets.

Website Planet’s team found the alleged exposure, PLASCHEMA’s buckets left in the open without any protection, as part of the company’s web mapping project.

Recommended for you  How Women in Tech Shaped the Tech World

“We use web scanners to identify unsecured data stores on the internet. We responsibly analyze, secure, and report these data incidents to raise awareness about the dangers of cybercrime and help affected companies and users,” says Website Planet about the leak.

Timeline on the cybersecurity breach

According to the security team, PLASCHEMA’s open buckets were first found on 3 April 2022, two days later Website Planet messaged the Nigerian Federal Government about the fault. On 11 April 2022, Website Planet then contacted the Nigerian Computer Emergency Response Team (CERT) for the first time.

Website Planet says that only on 10 May 2022, did Nigeria’s CERT finally respond via Twitter, asking for more information. The team says it contacted more individuals involved in Nigeria’s data protection, including Nigeria’s Data Protection Officer. On 12 May, CERT responded saying “We will ensure the incident is resolved as soon as possible.”

Source: IT News Africa

On 25 May, Website Planet says that the buckets were still unsecured, nearly 15 days after Nigeria’s CERT was first made aware of the security issue. On 30 May, Nigeria’s CERT reportedly told the Website Planet team that it was struggling to make contact with PLASCHEMA, but they had sent a hardcopy letter to the organisation.

The buckets, and all the personal information therein, were still not secure as of 9 June 2022, Website Planet says. Nigeria’s CERT contacted Website Planet at that time and replied that they had “contacted the organisation hoping to secure the buckets.” Seemingly as of right now, the buckets are still open.

Recommended for you  Innovation Hub in Kenya welcomes new MD as Microsoft announces Catherine Muraga

What This Massive Exposure Means

Website Planet says that it currently does not know if any threat actors have reached the information, but warns that any leaked personal info could be used in targeted cybercrimes.

Hackers could potentially use the information, such as applicant IDs and photographs for impersonation. Many online services accept these documents as proof of identification. Threat actors could join online organisations, such as financial agencies, using the victim’s information and conduct fraudulent activity.

If Website Planet’s allegations are true, this could cause a great deal of reputational damage to PLASCHEMA, as well as other Nigerian government agencies. This level of oversight is catastrophic, especially as African countries have recently been tightening up data protection laws, such as PoPIA in South Africa. PLASCHEMA could find itself coming under investigation by Nigeria’s National Information Technology Development Agency (NITDA) if it has exposed the personal data of citizens through such a glaring oversight.

Website Planet warns citizens of Plateau State, especially if they are part of PLASCHEMA’s programme, that they should monitor social media and other popular sites and services for fake accounts in their name.

Source: IT News Africa

Can Website Planet Be Trusted?

While Website Planet operates as more of a resource for web designers, digital marketers and online business practitioners, it says that its “ethical” security research team conducts experiments and frequently discovers online information exposures, such as a massive information exposure at US-based FOX news.

Read more: Zuckeerberg announces Meta AI Breakthrough as its Model Helps Break Language Barriers

The company did provide screengrabs of the alleged exposed information, such as ID cards and photographs as part of the report. This indicates that the Website Planet team did indeed come across some personal information of PLASCHEMA applicants floating online.

Recommended for you  How to end youth restiveness and unemployment through incorporation of ICT

African Countries Need to Invest in Proper Cybersecurity Practices in the Public Sector

Public sector organisations (PSOs) in Africa are continually targeted by cybercriminals. In 2021, South Africa’s port authority Transnet was subject to a massive ransomware attack that halted all sea imports and exports for more than a week. The country’s Department of Justice was also attacked that same year, causing a huge delay in court cases.

The alleged PLASCHEMA breach has shown us that missing education on cybersecurity practices in the sector can lead to apparent failures in security, especially when it comes to safe private information management.

Ubong Nsekpong

Ubong Nsekpong is a graduate of Communication Engineering from FUTO. Founder, TechForest SoftTechnologies Ltd. A web developer, digital marketer, writer and a passionate promoter of the tech ecosystem in Nigeria South.

Leave a Reply

Your email address will not be published.