On March 5, Techpoint reported a hack at Flutterwave, one of the leading fintech startups from Nigeria. According to court documents, the startup had been hacked, leading to a loss of 2.9 billion naira ($6.3 million), and was requesting a court order to freeze accounts associated with the money trail across 27 financial institutions. But, later on the same day, Flutterwave released a statement explicitly denying any security breach or hack, and until now, Nigeria’s cybersecurity authorities have yet to make any attempts at clarifying or investigating what happened.
Similarly, in 2022, Website Planet, a website mapping and management company, released a report detailing their discovery of unsecured servers containing data of an estimated 37,000 people registered with the state government health agency of a central Nigerian state, the Plateau State Contributory Health Care Management Agency, PLASCHEMA. The data points included names, identity card details, age, and medical information about applicants to the insurance scheme.
Website Planet first messaged Nigerian data authorities about the breach in April, but it was not until July that the buckets were secured. In the meantime, tens of media houses covered the incident, highlighting proofs of exposed data shared by Website Planet and emails exchanged with the Nigeria Computer Emergency Response Team. Yet in late July, barely days after securing the data, PLASCHEMA sent out press releases denying any breach or lack of security. Similarly, last year, it took a whistleblower report for TransUnion to admit that its South African servers had been compromised, and further orders by the Data Protection Bureau before the credit union contacted affected customers.
“THE CONTINENT IS DIGITIZING AT AN INCREDIBLE SPEED, BUT LACKING IN DIGITAL SECURITY AND APPROPRIATE POLICIES.”
African countries have poor disclosure policies, practices, and enforcement measures. Across many African countries, breaches and cybersecurity incidents are either ignored, covered up, or outright denied. Unlike countries in Europe, the Americas, and Asia, 2019 attacks by the Lazarus group — a notorious group of state-backed North Korean hackers —in Africa remain in obscurity; there’s almost no knowledge of specific firms and infrastructures attacked during the global campaign.
According to a 2023 Kaspersky report, 47% of systems in Africa experienced attempted malware attacks in the last year. Another report by Checkpoint Research recorded an average of 1875 cyberattacks weekly on African soil in the last quarter of 2022, the largest compared to other regions in the world
Reports about African breaches, vulnerabilities, and data privacy violations are rife and often accompanied by alarming figures, but with the absence of names, the chances to learn from and mitigate such attacks are near-zero, and so is the opportunity to properly access and mitigate damage.
YOU CAN’T FIX IT IF YOU DON’T KNOW WHERE IT’S LEAKING
You cannot fix it if you don’t know where it’s leaking, per Noelle Van Der Waag-Cowling, lead for the cybersecurity program at the Security Institute for Governance and Leadership in Africa, Stellenbosch University. “There’s a severe lack of proper disclosure practices in most of Africa, even compared to other places in the global south like Latin America,” said Noelle. “There’s this perception that Africa is immune to cyberattacks because of low digitization – which is inherently false but also – the continent is digitizing at an incredible speed, but lacking in digital security and appropriate policies.”
Across many African countries, there are data protection policies and authorities tasked with disclosures along with other protective measures, but disclosures are poorly enforced. Nigeria’s Data Protection Bureau requires authorities to notify them of breaches within 72 hours but gives no concrete parameters for disclosing. In South Africa, organizations are required to inform regulators and affected data owners of breaches, along with a description of possible consequences and protection measures that can be taken, but this rule is often flouted due to poor enforcement. Other countries across the continent share the same tendency toward denial, ambiguity, or ignorance.
Nobody likes to disclose incidents, but disclosures can build cyber-resilience over time, especially among consumers, who also have a right to be informed about incidents affecting their data.
“This absence of disclosures and its enforcement by proper authorities consequently results in a lack of accountability among organizations,” said Noelle, who argues that cybersecurity and data privacy is often an afterthought when organizations are mapping their digital architecture. By enforcing better disclosures, organizations would pay more attention to their cybersecurity and do more to prevent breaches knowing the disclosures would impact their stock and commercial trade.
But the practice of not disclosing is not isolated to commercial organizations; many public offices across the continent do the same and are held to an even lower standard of disclosure.
HACKING STATE EMAILS
In July 2022, when email accounts belonging to the Lagos State governments which could enable large-scale legit-looking scams were advertised for sale on the dark web, the government did not attempt to address the issue. In 2019, in a saga popular among data privacy advocates and enthusiasts, it took a cybersecurity researcher publicly calling out ESKOM – South Africa’s Electricity Authority – on Twitter before they rudimentarily attended to inappropriate exposure of consumer data which exposed the data of millions of customers. “You don’t respond to several disclosure emails, emails from journalistic entities, or Twitter DMs, but how about a public tweet?” tweeted Devin Stokes. “You are unnecessarily exposing YOUR customers’ data!”
The dark web is rife with advertisements of access to emails, data, and servers belonging to public organizations, but these organizations seldom acknowledge the incidents or take measures to prevent further incidents, and are met with even lower criticism in the media. This difference in standard between public and private organizations, Noelle argues, is partly fueled by the presence of younger talent and an indicator of problems present in the national systems at large.
“A country’s approach to cybersecurity and data privacy is often an indicator of the country’s leadership behavior and priorities,” said Noelle. “Issues like corruption and authoritarianism are especially exacerbated in a country’s cybersecurity practices.” By extension, issues like tardiness are also more prominent in public organizations than in private ones.
But the tardiness in public organizations can discourage even private organizations from trying to disclose incidents, per Blessing Udo, a Nigerian data protection advocate and data protection Lawyer with Jackson, Etu, & Edu. In Blessing’s experience as a legal consultant working with firms trying to disclose incidents responsibly, she said most data protection bureaus take incredibly long to respond to disclosure emails, and rarely help with anything. “At some point, you start second-guessing even disclosing the incident because you’re spending so much time waiting for them to even respond to emails,” said Blessing.
POWER TO THE PEOPLE
The solution, Blessing says, still lies with people. “If people can advocate for their data to be processed more responsibly, it can spur better practices in both the public and private sectors.”
Africa is starting to build a reputation as a soft spot for data and security, and the inability to step up proper cybersecurity practices could stonewall the continent digitally. In the EU, for example, there have been discussions about blacklisting countries and companies based on security, and barring blacklisted entities from accessing, storing, or processing data from the EU, an example that will likely be followed by other regions in the world. This could have major consequences for the continent, which is just on the cusp of massive digital evolution and growth To improve its cybersecurity, Africa needs to address its gaps in disclosure.