Two massive data incidents just months apart from each other. Back in February 2019 I found a database that belonged to Nigerian based Electronic Settlements Limited / CashEnvoy. The first database contained over 8 million records. At first representatives replied to my responsible disclosure notice and they were very responsive. They acted fast to protect the data of their users and close public access. When I asked them if they had notified their users, merchants, or partners they disappeared and stopped answering our messages. We did not publish our discovery at that time as a professional courtesy and because of how concerned they appeared to be before they ignored all communication and went silent.
Unfortunately, the discovery of a 2nd massive database of 2.59 million credit / debit card transactions on October 17th shows that they did not take data protection seriously, notify their users, or fully restrict outside access to highly sensitive payment data. This is the dilemma we often face with raising awareness with our discoveries. Our goal is to help not harm, but when an organization hides a data leak they do a disservice to their customers and partners. According to the IBM-Ponemon Institute the larger the data breach an organization suffers once, the less likely it is that it will have another breach in the next 24 months. In theory, by not publishing my first discovery it increased the likelihood of a data exposure at PayPad / Electronic Settlements Limited.
What is PayPad?
Founded by Olaoluwa Awojoodu Electronic Settlements Limited, the parent company of CashEnvoy, PayPad and a host of other companies. CashEnvoy is a payment service that allows businesses receive payments online or at partner locations. Websites that integrate with CashEnvoy can accept payments from all the major debit cards, international Visa/Mastercards, and also from the CashEnvoy wallet. According to an article in TechPoint Africa Mr. Awojoodu said he built his payments company because PayPal ignored his emails. Anyone who has ever tried to navigate PayPal’s infinite loop of time wasting help articles can understand his frustration and respect his solution.
“PayPad is a world class FinTech Company, and the first mPOS provider in Nigeria offering innovative and practical payment solutions to merchants” According to their website.
What was discovered:
The first database I discovered in Feb. 2019 was the CashEnvoy wallet data and the second discovery in Oct. 2019 appeared to be PayPad’s credit and debit card transactions. This is one of the largest collections of credit card numbers I have ever seen and the worst part was that only a small portion of the actual number was encrypted.
Summary the first Database discovered in Feb. 2019:
- Type: CouchDb database open for public access
- 8 million+ files with names and account, wallet transaction information
- Merchant files
- Names and contacts in plain text
- Admin Credentials
- 11 open databases in total
- The data can be edited or deleted with no admin permissions
Summary of the 2nd Transaction Database Discovered Oct 2019:
- Set to open and visible in any browser (publicly accessible) and anyone could edit, download, or even delete data without administrative credentials.
- 2.59 Million records of transaction data with card numbers in plain text.
- IP addresses, Ports, Pathways, and storage info that cyber criminals could exploit to access deeper in to the network.
All Data is Global
It does not matter if you are in New York, London, or Lagos people deserve to have their private and sensitive data protected. Technology companies even in emerging markets must do more to protect the data they collect and store on their users and partners. The worst part of this data leak was that Electronic Settlements Limited, the parent company of CashEnvoy, PayPad already had a wake up call that appears to have been ignored. User data is valuable no matter where you are from or who you are and this discovery highlights the need for organizations to put the same focus on data security as they do on profits are revenue.
On January 25, 2019, Nigeria’s National Information Technology Development Agency (“NITDA”) issued the Nigeria Data Protection Regulation 2019 (the “Regulation”). Many concepts of the Regulation mirror the EU General Data Protection Regulation (“GDPR”). The Regulation states that any entity found to be in breach of the privacy rights of any data subject will be liable, in addition to any other criminal liability, for the following:
- For data controllers “dealing with more than 10,000 data subjects,” a fine of 2% of annual gross revenue of the preceding year or 10 million Naira, whichever is greater; or
- For data controllers “dealing with less than 10,000 data subjects,” a fine of 1% or 2 million Naira, whichever is greater.
It is unclear if Electronic Settlements Limited has notified the authorities or the affected users. No reply was given to the data exposure notification or request for comment at the time of publication.