On April 3, Website Planet was running a web-mapping project when it discovered unsecured AWS S3 data buckets belonging to a state health agency in Nigeria. These buckets contained some 75,000 entries on an estimated 37,000 people—about 45 GB in all, including identification documents and photos of people registered with the agency. The buckets dated from January 2021, and they were live and being updated at the time of discovery, according to Website Planet.
The agency, known as the Plateau State Contributory Healthcare Management Agency (PLASCHEMA), had been launched in September 2020 by the state's governor, Simon Bako Lalong, and it was geared toward providing cheap and accessible health care for residents of Nigeria's Plateau state.
On April 5, Website Planet contacted Nigerian authorities, informing them of the exposed data buckets. But Website Planet says the data buckets remained live and unsecured until late July. It’s unknown if malicious actors found the data before they were secured, says a spokesperson for Website Planet, but “the longer it was left open, the more likely it could be caught by malicious parties.” Personal information like that found in the buckets could be exploited for identity theft, which could be used to open social media and virtual bank or credit accounts.
On July 23, days after the unsecured buckets were locked down, Fabong Yildam, director general of PLASCHEMA, denied any data breach or exposure in a press conference.
The incident, sadly, is typical of widespread cybersecurity issues in Nigeria, where regulations are ineffective, bad practices run rampant, and public disclosures of security breaches are often slow and insuffient.
“Many organizations in developed countries communicate when they have cases of cyberattacks, which encourages cyber-resilience and widespread incident response," says Confidence Staveley, a Nigerian security analyst and executive director of the Cybersafe Foundation, a security consultancy and advocacy group. “Back here, however, we see that generally, a lot of organizations absolutely deny the occurrence of cyberattacks and data breach incidents, even in the presence of undeniable evidence. That, or they drastically play down the incident.”
In August 2020, two major Nigerian banks were reported to have suffered data breaches, exposing the financial details of their customers. Neither bank responded until days later, and then their press releases were vague, neither denying nor admitting to the occurrence of any data breach.
Earlier this year, in July, David Hundeyin, an independent Nigerian journalist, also reported a possible compromise of emails belonging to the Lagos state government and the sale of these emails in the dark market. The Lagos state government and Nigeria’s cybersecurity agencies remained quiet over Hundeyin’s claims, neither responding nor denying the alleged breach.
By not communicating, these agencies fail to equip their customers and other stakeholders with the information they need to protect themselves and provide actionable advice to anyone exposed by a potential breach. The lack of communication, Staveley says, along with many bad cybersecurity practices, undermines cybersecurity and data protection in Nigeria, and creates a severe lack of trust and capacity.
Many IT infrastructure and data processes in Nigeria do not factor in security and protection, says Staveley, who's worked and consulted with various banks and government agencies in a cybersecurity capacity. “Organizations do not even understand the weight that comes with collecting data. They do not see the data they collect as something that needs to be protected, and so they don’t thoroughly consider encryption and security in their data pipelines.”
Nigeria's National Information Technology Development Agency (NITDA) is in charge of cybersecurity and data protection, and it has established regulations and guidelines requiring organizations that process personal data to be secure in collecting, processing, and storage of that data, and to perform data security audits annually. The 2020 Data Protection Bill also states that personal data should be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and access against loss.”
In practice, however, data collection and processing in Nigeria remains largely unmonitored, and protection is often an afterthought. Sensitive data such as addresses, mobile numbers, financial details, and even identification digits are asked for in queues, malls, and office receptions—places where such data are not necessary, and where they are left accessible to anyone with enough curiosity to check the often public records. “Most people do not even know the importance of their personal data, and no one bothers to tell them that it’s important,” says Staveley.
There's also a talent-retention problem, mainly due to poor remuneration and the lack of value placed on the work of cybersecurity specialists. According to a mail exchange between Website Planet and a spokesperson for Nigeria's Computer Emergency Response Team obtained by WIRED, PLASCHEMA seemingly lacked the access or technical expertise to fix the problem immediately. “The organization seems to not have the access or the technical ability to remediate the incident promptly,” read the June 27, 2022, email.
“We don't appreciate cybersecurity in this country, for now,” says Moses Joshua, a cybersecurity specialist and founder of Diary of Hackers, a cybersecurity community that, among many other things, tells the stories of hackers. Due to problems with compensation and the lack of tools and incentives needed to perform properly, cybersecurity professionals find it hard to work for Nigerian firms or organizations.
“It’s hard to find a veteran hacker working for Nigerian firms. At most, they’re used as transitions—to gain experience—and once they [cybersecurity specialists] get like two to three years of experience, they leave. It makes no sense to stay in a place where you're paid less, there's little to no career projection, and you have limited access to important trade tools,” Joshua says. (Staveley also raised this concern.) This leads to a lack of cybersecurity talent, but also a darker shade of the same problem. It means available talent has a shallow knowledge of the industry because many do not stay long enough to learn. It means every generation has to start over.
This problem spills over to tech talent generally. In recent times, as remote work has become more and more acceptable, retaining tech talent has been harder for local firms and organizations, as they're forced to compete with bigger corporations who can pay more and offer better career paths. This is a significant problem, especially for startups. But those most affected are firms and organizations with little to zero international prospects, such as Nigerian banks. Nigeria’s traditional banks are at the forefront of the “great tech resignation,” which has greatly affected tech infrastructures such as bank apps, email networks, and security.
Cybersecurity, in some ways, can also be cost-prohibitive. To businesses and organizations who already have problems surviving in Nigeria’s economic downturn, security and proper data protection is seen as a luxury many cannot afford. “It costs money to hire professionals and actually prioritize security instead of paying lip service,” says Staveley. “With the current economy, it sometimes can be like asking the organization to choose between security and survival.”
Nigeria has one of Africa's best cybersecurity and data protection policies, but that fails to translate into action. Many organizations only pay lip service to security, and the absence of an active and communicative authority figure allows many excesses.
Nigeria's cybersecurity and data protection policies are abstract, and because cybersecurity incidents can be very specific, they require people who can make decisions over each incident and clearly communicate with the media. The National Information Technology Development Agency is far from active. If an organization is investigated and found at fault for jeopardizing or abusing personal data, NITDA can impose a fine equivalent to 2 percent of the company’s annual turnover or 10 million naira ($23,647) for a data breach, whichever is greater. However, despite news coverage of the PLASCHEMA breach, the agency has yet to put out any press release or attempt to communicate. It also did not respond to WIRED’s multiple requests for comment.
In Nigeria, specific loopholes in the burgeoning use of POS and electronic transactions are leaving many people vulnerable to incidents that sometimes mean loss of money. It's one of Nigeria's most pressing cybersecurity issues, cumulatively responsible for more than 60 percent of financial fraud in 2020. Yet it remains unattended to by both financial and cybersecurity authorities.
In April, Nigerian betting platform Bet9ja suffered a ransomware attack from BlakCat. In May, barely days after launching in Nigeria, MoMo Payment Service Bank suffered a breach that reportedly led to $53 million in losses. In a more parallel case, in 2019, the Lagos Internal Revenue Service (LIRS) was accused of exposing personal data online through its web portal and was fined 1 million naira by NITDA. According to a 2022 report by Sophos, 71 percent of Nigerian organizations were hit by ransomware in the past year, yet some of Nigeria’s worst cybersecurity incidents are still not reported.
Nigeria’s cybersecurity problem reaches both public organizations and private corporations, but corruption, tardiness, and bureaucracy can exacerbate the problem in public organizations. Leaving a data bucket containing crucial personal information misconfigured and unsecured can happen due to human mistakes. But the long days between contact, response, and action—and the obvious lack of communication—reflects a negligent attitude toward cybersecurity in Nigerian government organizations.
As Staveley puts it, “We have a long way to go.”
