Reports of weak security systems in the Nigerian financial sector which has been making the rounds since the great lockdown came to a head last week when Bank Security, a Twitter handle that focuses on online security issues in banking tweeted that the database of Unity Bank Plc has been breached. The tweets went on to claim that many hacker for a are sharing the data with one hacker boasting that they had shared “only small dump” from the bank, and said “bigger dumps coming [sic] soon”. At least three other hacker forums have since reportedly shared the same database, according to Bank Security.
The online report sent thousands of customers into a frenzy as the hackers boasted that they have access to data of millions of customers and can make transfers and withdrawals easily without the interference of the banks involved. Instead of addressing the issue Unity Bank adopted a “wait and see” attitude believing the news will die a natural death but with more tweets spotlighting on the issue, Unity Bank was forced to issue a statement addressing the matter while not explicitly denying the breach or dismiss the associated data.
In a tersely worded statement, Unity Bank said that “Our attention has been drawn to social media reports purporting a data breach of our systems. For the avoidance of doubt, Unity Bank wishes to reassure all customers that we take the protection of their personal information very seriously in accordance with data protection legislation.“The Bank hereby reassures its customers and the public at large, of the integrity of its systems, controls of which are continually enhanced in line with best practices, to forestall attempts at compromising confidential data.”
Then on August 31, a hacker named Ihebuzo Chris posted a video with his Twitter handle in which he claimed to have stumbled upon sensitive customer data of Access Bank Plc. According to Mr. Ihebuzo, his focus was not to tamper with the Bank’s data; rather he wanted to draw the attention of the Bank to the vulnerabilities within its security system, thus the need to strengthen their firewall. To back up his claims, he printed out hundreds of the Bank’s customer information.
Reacting to the claims, Access Bank dismissed the claims by Mr. Ihebuzo Chris assuring their customers that their data is secured. In a statement by Access Bank’s Head of Corporate Communications, Amechi Okobi, the Bank said; “Our attention has been drawn to some social media reports claiming a data breach of our systems. Access Bank herewith confirms that there is no cause for alarm. We would like to reassure all our stakeholders and the general public of the security and integrity of our banking platforms which at this time are the best-in-class.”
Analysts say that keeping track of the number of cyber breaches that take place in the country is very hard because very few Nigerian companies would actually admit publicly when a breach has happened due to its attendant dent on the image of the organisation. A source at one of the nation’s big banks told The Economy that the industry loses huge sums of money to hackers and other forms of insider cyber leaks that the public are not aware of.
According to systems analysts that spoke to The Economy, this development highlights a challenge many have been aware of in recent times concerning the weakness in the firewall protection of some major financial institutions in the country. Bank Security, which was the first to disclose the alleged breach, said it was a database file “containing PII data of over 53k customers.” But on close examination of the SQL script and data posted online, the data is not customer information but recruitment data from a possible past enrollment exercise. However, this does not mean the data leak is any less serious. The leak is said to include people’s names, house addresses, emails, phone numbers and their dates of birth. Such information in the hands of criminals is a very serious issue, says a systems analyst who works in one of the big banks.
It could be recalled that the issue of cybersecurity has been a recurring one in recent times as many organizations across Africa work to strengthen their securities in the face of security breaches in different countries with Nigeria and South Africa being prominent. In July, Till Kottman, a Swiss-based IT consultant, compiled a list of 50 Nigerian companies whose source code had been exposed online.
Experts have warned that as the Internet of Things (IoT) plays far more roles in our everyday existence, breaches as this would become common, thus the need for organizations to raise the bar in cybersecurity and governments to create more awareness and regulatory oversights.
In its Nigeria Cyber Security Outlook 2020, international consulting firm, Deloitte described 2020 as the “Year of Shifts” in cybersecurity. According to Deloitte, 2020 will witness unprecedented cyber-attacks and cybersecurity solutions. “For the year 2020, we envisage a number of shifts that will affect the Nigerian Cyberspace – shifts in attack targets; attack magnitude; identification and authentication; monitoring; awareness and education; regulatory oversight; collaboration; and a shift in the way organisations deal with cyber-attacks”, Deloitte affirms.
Nigeria is not alone, on August 19, South Africans woke up to the news of a massive data breach that saw the data of 24 million people and 800,000 businesses fall into the hands of a fraudster. The breach, of the South African branch of consumer credit reporting agency Experian, was the biggest of the year so far in sub-Saharan Africa and highlights growing security threats throughout the region. While the value of scams and breaches in Africa thus far in 2020 pales in comparison to more developed economies, the number of attacks that enterprises withstand is growing fast. African enterprises are attacked by malicious hackers more frequently than enterprises elsewhere in the world, according to Check Point Software research.