ID cards, home addresses of Nigerians exposed in huge government security failure

0

A new report from the cyber-security team of online resource supplier Website Planet indicates that a huge alleged security fault at Nigerian government healthcare organisation PLASCHEMA (Plateau State Contributory Health Care Management Agency) has exposed over 45GBs of personal data, over 75,000 files, from an estimated 37,000 people.

The massive oversight, according to Website Planet’s team, has left information such as ID cards – including full names, dates of birth, occupations, blood groups and even personal addresses, parents’ full names and registration details – birth certificates, personal photographs, identification for government officials and more, in the open online with no protection.

PLASCHEMA manages the Plateau State Universal Healthcare System, a program that is designed to bring affordable healthcare to the people of Plateau State, a region in Central Nigeria.

An applicant’s birth certificate exposed in the alleged breach.

PLASCHEMA manages the Plateau State Universal Healthcare System, a program that is designed to bring affordable healthcare to the people of Plateau State, a region in Central Nigeria.

According to the security team, 11 of PLASCHEMA’s Amazon Web Services (AWS) data buckets were left unsecured, without any authentication or encryption measures in place.

The unprotected AWS buckets left thousands of files in the open, for anyone with the right know-how to access, at any time. Each of the unsecured buckets contained personal information belonging to PLACHEMA program applicants from a city in the Plateau State.

Amazon is apparently not responsible for any of the security measures at the Nigerian organisation.

A government official ID card which was allegedly found in the open buckets.

Website Planet’s team found the alleged exposure, PLASCHEMA’s buckets left in the open without any protection, as part of the company’s web mapping project.

We use web scanners to identify unsecured data stores on the internet. We responsibly analyze, secure, and report these data incidents to raise awareness about the dangers of cybercrime and help affected companies and users,” says Website Planet about the leak.

Timeline

According to the security team, PLASCHEMA’s open buckets were first found on 3 April 2022, two days later Website Planet messaged the Nigerian Federal Government about the fault. On 11 April 2022, Website Planet then contacted the Nigerian Computer Emergency Response Team (CERT) for the first time.

Website Planet says that only on 10 May 2022, did Nigeria’s CERT finally respond via Twitter, asking for more information. The team says it contacted more individuals involved in Nigeria’s data protection, including Nigeria’s Data Protection Officer. On 12 May, CERT responded saying “We will ensure the incident is resolved as soon as possible.”

On 25 May, Website Planet says that the buckets were still unsecured, nearly 15 days after Nigeria’s CERT was first made aware of the security issue. On 30 May, Nigeria’s CERT reportedly told the Website Planet team that it was struggling to make contact with PLASCHEMA, but they had sent a hardcopy letter to the organisation.

The buckets, and all the personal information therein, were still not secure as of 9 June 2022, Website Planet says. Nigeria’s CERT contacted Website Planet at that time and replied that they had “contacted the organisation hoping to secure the buckets.” Seemingly as of right now, the buckets are still open.

What This Massive Exposure Means

Website Planet says that it currently does not know if any threat actors have reached the information, but warns that any leaked personal info could be used in targeted cybercrimes.

Hackers could potentially use the information, such as applicant IDs and photographs for impersonation. Many online services accept these documents as proof of identification. Threat actors could join online organisations, such as financial agencies, using the victim’s information and conduct fraudulent activity.

A photograph of a child found in amongst the allegedly exposed personal data.

If Website Planet’s allegations are true, this could cause a great deal of reputational damage to PLASCHEMA, as well as other Nigerian government agencies. This level of oversight is catastrophic, especially as African countries have recently been tightening up data protection laws, such as PoPIA in South Africa. PLASCHEMA could find itself coming under investigation by Nigeria’s National Information Technology Development Agency (NITDA) if it has exposed the personal data of citizens through such a glaring oversight.

Website Planet warns citizens of Plateau State, especially if they are part of PLASCHEMA’s programme, that they should monitor social media and other popular sites and services for fake accounts in their name.

Can Website Planet Be Trusted?

While Website Planet operates as more of a resource for web designers, digital marketers and online business practitioners, it says that its “ethical” security research team conducts experiments and frequently discovers online information exposures, such as a massive information exposure at US-based FOX news.

The company did provide screengrabs of the alleged exposed information, such as ID cards and photographs as part of the report. This indicates that the Website Planet team did indeed come across some personal information of PLASCHEMA applicants floating online.

African Countries Need to Invest in Proper Cybersecurity Practices in the Public Sector

Public sector organisations (PSOs) in Africa are continually targeted by cybercriminals. In 2021, South Africa’s port authority Transnet was subject to a massive ransomware attack that halted all sea imports and exports for more than a week. The country’s Department of Justice was also attacked that same year, causing a huge delay in court cases.

The alleged PLASCHEMA breach has shown us that missing education on cybersecurity practices in the sector can lead to apparent failures in security, especially when it comes to safe private information management.

The truth is: These incidents are preventable, public organisations just need to be equipped with the right know-how to defend themselves.

If your public organisation is digitally connected, like all successful modern enterprises should be, then you cannot afford to miss the Public Sector Security Summit 2022 (#PubliSec2022), to be held on 2nd and 3rd August 2022.

Register now for #PubliSec2022 and learn from top local and international cybersecurity experts to prepare your public organisation before the attack comes.

To learn more, click here.

LEAVE A REPLY

Please enter your comment!
Please enter your name here