On April 3, Website Planet was running a web-mapping project when it discovered unsecured AWS S3 data buckets belonging to a state health agency in Nigeria. These buckets contained some 75,000 entries on an estimated 37,000 people—about 45 GB in all, including identification documents and photos of people registered with the agency. The buckets dated from January 2021, and they were live and being updated at the time of discovery, according to Website Planet.
The agency, known as the Plateau State Contributory Healthcare Management Agency (PLASCHEMA), had been launched in September 2020 by the state’s governor, Simon Bako Lalong, and it was geared toward providing cheap and accessible health care for residents of Nigeria’s Plateau state.
On April 5, Website Planet contacted Nigerian authorities, informing them of the exposed data buckets. But Website Planet says the data buckets remained live and unsecured until late July. It’s unknown if malicious actors found the data before they were secured, says a spokesperson for Website Planet, but “the longer it was left open, the more likely it could be caught by malicious parties.” Personal information like that found in the buckets could be exploited for identity theft, which could be used to open social media and virtual bank or credit accounts.
On July 23, days after the unsecured buckets were locked down, Fabong Yildam, director general of PLASCHEMA, denied any data breach or exposure in a press conference.
The incident, sadly, is typical of widespread cybersecurity issues in Nigeria, where regulations are ineffective, bad practices run rampant, and public disclosures of security breaches are often slow and insuffient.
“Many organizations in developed countries communicate when they have cases of cyberattacks, which encourages cyber-resilience and widespread incident response,” says Confidence Staveley, a Nigerian security analyst and executive director of the Cybersafe Foundation, a security consultancy and advocacy group. “Back here, however, we see that generally, a lot of organizations absolutely deny the occurrence of cyberattacks and data breach incidents, even in the presence of undeniable evidence. That, or they drastically play down the incident.”
In August 2020, two major Nigerian banks were reported to have suffered data breaches, exposing the financial details of their customers. Neither bank responded until days later, and then their press releases were vague, neither denying nor admitting to the occurrence of any data breach.
Earlier this year, in July, David Hundeyin, an independent Nigerian journalist, also reported a possible compromise of emails belonging to the Lagos state government and the sale of these emails in the dark market. The Lagos state government and Nigeria’s cybersecurity agencies remained quiet over Hundeyin’s claims, neither responding nor denying the alleged breach.
By not communicating, these agencies fail to equip their customers and other stakeholders with the information they need to protect themselves and provide actionable advice to anyone exposed by a potential breach. The lack of communication, Staveley says, along with many bad cybersecurity practices, undermines cybersecurity and data protection in Nigeria, and creates a severe lack of trust and capacity.