Nigeria's National Information Technology Development Agency (NITDA), the government organization responsible for implementing the country's National Information Technology Policy as well as overseeing enforcement of its Data Protection Regulations, has confirmed to iAfrikan that following our initial report on the possible security and data breach at SureBet247, the Director-General, and CEO of NITDA, Mr. Kashifu Inuwa Abdullahi, gave an order for the incident to be investigated by NITDA's Data Breach Investigation Team. This follows a frustrating period since December 2019 during which Troy Hunt, an Australian security researcher and Founder of HAVE I BEEN PWNED, and iAfrikan has been trying to alert SureBet247 and have them take the necessary steps as per acceptable industry standards as well as suggested by the Nigerian Data Protection Regulation.

During January 2019 the NITDA introduced the Nigeria Data Protection Regulation ('NDPR'), and depending on how their findings and investigations go into SureBet247, the betting company and/or its suppliers could be in violation of some parts of the NDPR.

"We are also sending a letter to the affected company to provide further details before we make our conclusions. NITDA appreciates the efforts of people like you who genuinely seek to reduce the flagrant breach of personal data globally," reads part of the message the NITDA sent to iAfrikan.

Possible violation of data regulations and more frustration with Surebet247

As mentioned in the initial article, it has been quite frustrating trying to engage with SureBet247 and getting the company to take the potential data breach seriously and alert its customers and portal users of the potential risks. Furthermore, and as mentioned in the NDPR, the company (among many other things) would be required to have a "Data Protection Officer" who would be responsible for communicating with "Data Subjects" and handling any issues relating to data protection. Thus far, it is highly probable that SureBet247 does not have such a role active.

I mention this because after experiencing frustration with the Nigerian betting company's customer support agents, the company's co-founder and Managing Director, Sheriff Olaniyan, sent the following message to iAfrikan at 13h53 CAT on 4 January 2020:

"Hi iAfrikan , The management of surebet247 seriously frown at this malicious news been promoted by your organization. We will not hesitate to take legal action if you don’t stop and bring this down. No customer data of ours was hacked or exposed ,you have many betting company names listed on the so called list why this personal attack on surebet247. It’s obvious there is a motive around this , you post fake news without disclaimer and your informant do not provide you customer list from any of the betting company claimed to be hacked. Names posted on your list told us how your informant was asking for payment and this was demanded from us , this is pure blackmail and you reported this news so personal without evidence. We will appreciate you stopped right now."

To date, we still await the legal action Olaniyan alluded to or any further communication from the company. This, after he sent a follow-up message in which he said their head of legal (note: not their Data Protection Officer as stipulated in the NDPR) will deal with the matter "appropriately." Olaniyan concluded by saying "We will appreciate you stop and take this down immediately."

At this stage, it is probably important to explain why the initial article focussed on SureBet247 even though the data dump contained information (which we would only later piece together) from betting operators and software development companies. It's simple, the initial contact from the anonymous source mentioned, in the e-mail subject "Dumps surebet247.com and more." Looking into the data at a glance, it also becomes apparent why Surebet247 was the main focus - SureBet247 constituted the bulk of the data and code dump.

NAME OF DB		NO. UNIQUE E-MAIL
STM02_SB.sql		2,166
BetAlfa 		43,459
BetWay 			78
BongoBongo		211,734
SureBet			410,384
TopBet			106,275

As you can see, not only by the size of the data but by the number of both unique e-mail addresses (and user profiles, as detailed in the initial article), the SureBet247 data dump is by far the largest.

As attempts continued to engage with SureBet247 to try and not only get them to alert their users but also to try and help them identify the source of the breach so appropriate procedures and actions can be taken, it became apparent that the breach is possibly bigger in scope. This was also confirmed by the anonymous source who stated that (among other things that I cannot yet discuss as this is still a sensitive investigation and all the relevant parties need to be allowed sufficient time to respond) the security breach and data access was as a result of a security "vulnerability in a system and from there, escalate privileges."

This goes against what the company tweeted on 4 January 2020 stating that customer data was not accessed. Furthermore, what the company is saying is not true because, if that was the case, how come we could randomly verify that some of the user e-mails in the dump do exist as their betting portal users?

Given that the scale of the breach could stretch beyond Nigeria, it also brings another part of the West African country's NDPR possibly into play. Specifically, the parts relating to "Data Security", "Third Party Data Processing Contract" and the "Transfer (of data) to a foreign country." Should it become apparent that these two parts of NDPR were also violated, over and above the actual access of customer data, SureBet247 could stand to be possibly heavily punished by the NITDA.

The Data Security section of the NDPR specifically states that:

"Anyone involved in data processing or the control of data shall develop security measures to protect data; such measures include but not limited to protecting systems from hackers, setting up firewalls, storing data securely with access to specific authorized individuals, employing data encryption technologies, developing organizational policy for handling Personal Data (and other sensitive or confidential data), protection of emailing systems and continuous capacity building for staff."

The rise of online sports betting in Africa

The SureBet247 potential security and data breach along with the potential data breach of other betting companies across Africa are also important in the context of the rise of online sports betting across Africa, especially among the continent's youth. I cannot comment much on the socio-economic impact of online sports betting in Africa, however, some have reported that in some cases, mobile money loans are used for online sports betting, creating a vicious cycle.

What I do know though is that the trend of sports betting is growing across the continent if Google searches are anything to go by. If you look for example, at the top countries from where the phrase "sports betting" was searched from, 8 out of 10 of the top 10 are African countries as per Google Trends.

Worldwide Google Trends report for people who searched the phrase "sports betting." Eight of the ten top countries to search for the phrase in 2019 were African. Source: Google Trends

A similar trend can be observed for the phrase "soccer betting."

This sudden popularity has been explained in some quarters as a reflection of the desperation of Africans in dire need to make a living and make ends meet. It could also explain why during 2018 and 2019 there was a surge in new betting operators in Africa as well as European companies such as BtoBet that announced many partnerships with betting operators across the continent.

What I do know though is that irrespective of the industry, as long as companies are engage in the collection and processing of people's data, they need to ensure they have sufficient security measures in place, they comply with the relevant regulations, and in the case of their data and systems being breached they need to ensure that they follow the relevant country's regulations as well as accpetable industry standards to secure their systems and make a public disclosure that can reach all their customers far and wide.

This is a developing story and we will update it once new information becomes available.


Updates

Share this via: