Leaks R Us

For three consecutive years we, iAfrikan, have broken stories about major data breaches and leaks across Afrika. Some, we've reported on publicly, while others were too sensitive and we simply notified the relevant authorities without publicly reporting on them.

These include in 2016, the data leak of Kenya's KCB Bank customer details. Approximately 500,000 personal records of their customers were leaked as a result of an "amateur" bug in their mobile banking app.

Then there was South Africa's largest-ever data leak in 2017 where we traced the database back to a data aggregator company called Dracore Data Sciences, who put a database together of 60 million personal records of South Africans for their real estate client. Somehow, between Dracore and Jigsaw Properties, the database was left available on public directory online, on a web server that belongs to Jigsaw.

Then last week, we revealed how ViewFines left a database with 934,000 personal records of their users (including plaintext passwords) on a publicly available directory on their web server. Only for someone to find this database and leak it on another public website.

Now, I mention these 3 examples because in investigating and reporting on data breaches and leaks in various Afrikan countries (both those we publicly reported on, and those we investigated privately), there is a pattern to the whole process.

First, they ignore.

In all of the 3 examples stated in this newsletter, before we published the initial articles, we contacted the companies involved (KCB Group, Dracore Data Sciences, and ViewFines) and for a period varying from 24 hours to 72 hours, they ignored all communications where we clearly spell it out for them how they have just had their data leaked/breached, we go a step further in all cases to advise on how they should secure the data to ensure no one else can access it, and advise on how they handle their data going forward to ensure the leak or breach does not occur again.

But, alas, they ignore the phone calls and the e-mails.

Then, they deny it.

At this stage of our communication with the companies, in all 3 of the examples in this newsletter, once they have realized the seriousness of the situation and we have decided to alert the public and the relevant authorities on the leaks, the companies, despite us demonstrating to them that it is their data that has been leaked, go on to either publicly or privately deny the leak.

In 2016 KCB Bank went as far as publicly stating that iAfrikan is spreading misinformation, Dracore Data Sciences initially denied having any relationship with Jigsaw Properties, only for them to backtrack and say they previously worked with them to "enrich" the deeds office database, and then, just last week, ViewFines initially admitted the leak only for a day or two later to say "we are investigating if it's our data that was leaked."

They then threaten litigation.

Lastly, all the companies (except ViewFines so far, touch wood) have threatened litigation for us having reported on the leaks.

KCB Bank Group threatened to sue iAfrikan unless we take the story down, and then we met with them to walk them through how the bug in their app was leaking data. They went quite, patched the bug, and updated the app.

Similar happened with Dracore Data Sciences in South Africa, we received no less than 5 letters from their attorneys over a period of 5 days where they threatened everything from interdicting us (never happened), defamation (never happened), and litigation (never happened).

Why do I mention these examples?

Simply because not only is it a pattern (remember, these are not the only three, there are many others), but also, in all three cases, the leaks occurred as result of either incompetence, negligence, or both. Worse still, the companies all didn't see anything wrong with this, and tall 3 treated the leaks in a nonchalant manner until authorities stepped in (except in Kenya, where to this day KCB Bank is yet to be investigated for the leak).

This further raises concerns not only about internal processes at these organizations but also the skills their IT staff have. More importantly, it also raises questions about what governments in Afrika are doing to punish companies that are negligent.

...and we haven't even started talking about how strong their security is to protect against hackers and foreign governments and organizations.

😢


This article first appeared on 28 May 2018 in the iAfrikan Weekly Digest Newsletter, a Pan Afrikan weekly digest of the most important stories of the week which includes insights and analysis on the most topical story of the week. Subscribe here to the weekly digest and receive it every Monday.

Comments