Two data incidents just months apart from each other. Back in February 2019 I found a database that belonged to a Nigerian based company. The first database contained over 8 million records. The representatives replied to my responsible disclosure notice and they were very responsive. They acted fast to protect the data of their users and close public access.
Our goal is to help not harm when it comes to our responsible disclosures. According to the IBM-Ponemon Institute the larger the data breach an organization suffers once, the less likely it is that it will have another breach in the next 24 months. In theory, by not publishing my first discovery it increased the likelihood of a data exposure at the payment processing company.
“PayPad is a world class FinTech Company, and the first mPOS provider in Nigeria offering innovative and practical payment solutions to merchants” According to their website.
What was discovered:
The first database I discovered in Feb. 2019 was the CashEnvoy wallet data and the second discovery in Oct. 2019 appeared to be PayPad’s credit and debit card transactions. The numbers were partially encrypted and would have made it more difficult for cyber criminals to access the remainder of the data.
Summary the first Database discovered in Feb. 2019:
- Type: CouchDb database open for public access
- 8 million+ files with names and account, wallet transaction information
- Merchant files
- Names and contacts in plain text
- 11 open databases in total
- The data can be edited or deleted with no admin permissions
Summary of the 2nd Transaction Database Discovered Oct 2019:
- Set to open and visible in any browser (publicly accessible) and anyone could edit, download, or even delete data without administrative credentials.
- 2.59 Million records of transaction data with card numbers in plain text.
- IP addresses, Ports, Pathways, and storage info that cyber criminals could exploit to access deeper in to the network.
All Data is Global
It does not matter if you are in New York, London, or Lagos people deserve to have their private and sensitive data protected. Technology companies even in emerging markets must do more to protect the data they collect and store on their users and partners. The processor had a wake up call and have taken actions to mitigate future risk. User data is valuable no matter where you are from or who you are and this discovery highlights the need for organizations to put a focus on data security.
On January 25, 2019, Nigeria’s National Information Technology Development Agency (“NITDA”) issued the Nigeria Data Protection Regulation 2019 (the “Regulation”). Many concepts of the Regulation mirror the EU General Data Protection Regulation (“GDPR”). The Regulation states that any entity found to be in breach of the privacy rights of any data subject will be liable, in addition to any other criminal liability, for the following:
- For data controllers “dealing with more than 10,000 data subjects,” a fine of 2% of annual gross revenue of the preceding year or 10 million Naira, whichever is greater; or
- For data controllers “dealing with less than 10,000 data subjects,” a fine of 1% or 2 million Naira, whichever is greater.