The Deep Roots of Nigeria’s Cybersecurity Problems

April 3, website planet It was running a network mapping project when it discovered unsecured AWS S3 buckets belonging to a state health agency in Nigeria. The buckets contained about 75,000 entries for about 37,000 people — about 45 GB in total, including identification documents and photos of people registered with the agency. According to the website Planet, the buckets were dated January 2021 and were active and being updated at the time of discovery.

Known as the Plateau State Healthcare Administration (PLASCHEMA), the agency was established in September 2020 by the state’s Governor, Simon Bako Lalong, to provide residents of the Plateau State, Nigeria, with affordable and easy access to access to healthcare.

On April 5, Website Planet contacted Nigerian authorities to inform them of the exposed data buckets. But Website Planet said the buckets remained valid and insecure until late July. A spokesman for Website Planet said it’s unclear whether malicious actors discovered the data before it was secured, but “the longer it’s open, the more likely it’s going to be caught by malicious parties.” Like in a bucket Personal information found in the website may be used for identity theft, which can be used to open social media and virtual bank or credit accounts.

On July 23, days after the unsecured bucket was locked, Fabong Yildam, Director General of PLASCHEMA, Denies any data breach or exposure at a press conference.

Sadly, the incident is a poster child for the pervasive cybersecurity problem in Nigeria, where regulations are ineffective, bad practices are rampant, and public disclosure of security breaches is often slow and insufficient.

“Many organizations in developed countries communicate when they encounter a cyberattack case, which encourages cyber resilience and broad incident response,” said Confidence Staveley, Nigerian security analyst and executive director of the Cyber​​safe Foundation, a security consulting and advocacy group . “Returning here, however, we see that, in general, many organizations absolutely deny that cyberattacks and data breaches have occurred, even when there is undeniable evidence. That, or they downplay the incident outright.

In August 2020, two major Nigerian banks reportedly suffered data breaches that exposed financial details of their customers. Both banks did not respond until days later, then their press releases were vague, neither deny nor admit the occurrence of any data breach.

Earlier this year, in July, Nigerian independent journalist David Hundeyin also Emails belonging to the Lagos state government have been reported as potentially compromised As well as selling those emails on the dark market. The Lagos state government and Nigeria’s cybersecurity agency remained silent on Hundeyin’s claims, neither responding nor denying the alleged breach.

Without communication, these agencies are unable to provide their clients and other stakeholders with the information they need to protect themselves, or provide actionable advice to anyone exposed to potential breaches. Lack of communication, along with many poor cybersecurity practices, undermines cybersecurity and data protection in Nigeria, and creates a severe lack of trust and competence, Staveley said.

Source link