on April 3, Website Planet was running a web-mapping project when it discovered unsecured AWS S3 data buckets from a state health organization in Nigeria. These buckets contain some 75,000 entries for an estimated 37,000 people – about 45 GB in total, including identification documents and photos of people registered with the agency. The buckets were dated January 2021 and they were live and updated at the time of discovery, according to Website Planet.
The agency, known as the Plateau State Contributory Healthcare Management Agency (PLASCHEMA), was founded in September 2020 by the state’s governor, Simon Bako Lalong, and it aimed to provide low-cost and accessible health care for residents of Plateau State. in Nigeria.
On April 5, Website Planet contacted the Nigerian authorities and informed them about the exposed data buckets. But Website Planet says the data buckets remained live and unsecured until the end of July. It’s not known if attackers found the data before it was protected, a Website Planet spokesperson said, but “the longer it was open, the more likely the attackers could capture it.” Personal information like those in the buckets can be misused for identity theft, which can be used to open social media and virtual bank or credit accounts.
On July 23, days after the unsecured buckets were locked, PLASCHEMA Director General Fabong Yildam said, denied a data breach or exposure at a press conference.
Unfortunately, the incident is typical of widespread cybersecurity problems in Nigeria, where regulation is ineffective, bad practices are rampant and public disclosures of security breaches are often slow and inadequate.
“Many organizations in developed countries communicate when they have cyberattacks, which encourages cyber resilience and widespread incident response,” said Confidence Staveley, a Nigerian security analyst and executive director of the Cybersafe Foundation, a security advisory and advocacy organization. “Back here, however, we see that in general, many organizations absolutely deny the occurrence of cyberattacks and data breach incidents, even if there is irrefutable evidence. That, or they drastically downplay the incident.”
In August 2020, two major Nigerian banks are said to have suffered data breaches, exposing the financial details of their customers. Neither bank responded days later, and then their press releases were vague, neither deny nor admit to the occurrence of a data breach.
Earlier this year, in July, David Hundeyin, an independent Nigerian journalist, also reported a possible compromise of emails from the state government of Lagos and selling these emails on the dark market. The Government of Lagos State and Nigeria’s cybersecurity authorities remained silent about Hundeyin’s claims and neither responded nor denied the alleged breach.
By failing to communicate, these agencies fail to equip their clients and other stakeholders with the information they need to protect themselves and provide actionable advice to anyone exposed to a potential breach. The lack of communication, Staveley says, along with many bad cybersecurity practices, is undermining cybersecurity and data protection in Nigeria and creating a serious lack of trust and capacity.
