A global hacking cartel recently demanded a ransom worth $1 million from two major commercial banks after scaling their firewalls and gaining access to customer data including account details of high-net-worth clients.
Highly placed sources revealed that the attack came on the heels of warnings from government and industry cyber security experts about the impending attack.
Monitor, has learnt that three weeks ago, hackers were able to gain access to customers’ personal data including account details, such as names, identity cards, bank statements, deposits and credit history among others.
The commercial banks, which owe a fiduciary duty not to disclose their clients’ personal data, rejected to pay the ransom. They reverted to a back-up secondary data centre maintained by Raxio data centre in Namanve, sources revealed.
The hackers relied on a phishing attack, which is the practice of sending fraudulent communications that appear to come from a reputable source. It is usually performed through email. The goal is to steal sensitive data for instance a credit card and login information or to install malware on the victim’s machine.
A cyber-security expert who spoke on condition of anonymity revealed that they suspect the LockBit gang, based in eastern Europe. According to an article published by Wired, LockBit is a prolific gang of cyber criminals believed to be Russian-based, which was previously implicated in a similar attack targeting Ugandan banks in 2016.
Typically, LockBit ransom-ware attacks slow down the victim’s network, capturing passwords and locking the victim out, denying them access to their own system. To regain access, they must pay a ransom. However, even if access is regained, it can’t be ruled out that the hackers have backdoor access to the data system and can be able to hack in the future.
Rather than pay the ransom and fund the activities of the hackers, financial institutions routinely back up data on cassette tape so that once the system is compromised, they can restore it.
Cybercriminals target legacy security systems of banks and telecom firms in Uganda among others that are yet to be upgraded, with ransomware that evades detection and circumvents firewalls.
According to a 2019/2020 report published by Serianu Limited, a Pan African cyber security firm, cyberattacks in Uganda were on the rise and had led to a loss of about Shs11.4b. Out of this colossal amount, only Shs51.9m was recovered.
Banks are the main targets of such attacks, however, telecom companies and aggregators are also in the sights of cybercriminals.
In 2018, the Central Police Station registered a case of unauthorised access and theft of money worth Shs2.6b stolen from Beyonic Ltd Systems, which operates a cloud-based mobile payment while Criminal Investigations Directorate (CID) offices in Kibuli, Kampala registered another case of unauthorised access and theft of money worth Shs802m filed by MTN Uganda.
In 2019, dfcu bank filed a case of unauthorised access and theft of Shs383 million at CID offices, Centenary Bank filed a case of unauthorised access and theft of Shs800 million at Central Police Station and True African Systems, an online financial services hub lost Shs116 million as well and filed a case at CID offices.
More recently in October 2022, Airtel was the target of a Shs7.6b cyber heist after hackers took control of a betting site that was used by punters to place bets after crediting their accounts with Airtel money. The hackers completed transactions on 1,800 sim cards in a heist that sleuths believe was enabled by insiders.
In 2019, a number of cybercrimes were committed using pre-registered sim cards to steal money from unsuspecting victims. In total 519 fraudulently swapped pre-registered sim cards were used to transfer and steal money from various banks and mobile money accounts.
A directive by Uganda Communications Commission (UCC) requires all sim cards to be registered with national identity cards.
However, unscrupulous telecom agents obtain biometric data from unsuspecting individuals, multiple times to make copies of their national identity cards and subsequently register more than one sim card in the names of unsuspecting individuals.
These registered sim cards are subsequently sold to criminals who use the numbers to defraud their victims.
In mitigation, UCC requires telecom companies and banks to authenticate customer data with the National Identification and Registration Authority, (NIRA). This is why, according to NIRA’s 2022/2023 Ministerial Policy Statement, more than 26 million records held were accessed by government agencies as well as the private sector through the third-party interface in the financial year 2021/2022.
In 2018/2019, these companies accessed and used data from the national register through the third-party Interface. Airtel accessed more than 1.3 million records and MTN more than 1.8 million.
Third parties sign a Memorandum of Understanding (MoU) with NIRA which contains the terms under which data is accessed and used.
Allan Kigozi, a data protection and privacy advocate, outlined the risks of third-party access.
“For starters, that access is illegal. We have a Data Protection and Privacy Act and the regulations that regulate and guide how such information should be accessed. The access by telecoms to the national register for ID is very disastrous, and worrying, because if telecoms collect the names of people, their location in terms of where they live and if combined with the biometrics of the national ID that makes it very dangerous because now someone can easily be profiled and telecoms have a history of misusing personal data, they have had a history of being hacked into.”
The telecom companies often request to access this data to verify and authenticate the identity of people transacting on their platforms. However, telecom firms are now seeking biometric data to complete the process of authentication.
Access to the NIRA register is provided for in the Registration of Persons (Access and Use of Information) Regulations 2015. However, it requires individual consent.
Consent is defined in the Data Protection and Privacy Act as; ‘freely given, specific, informed and unambiguous indication of the data subject’s wish, which he or she by a statement or by a clear affirmative action signifies agreement to the collection or processing of personal data relating to him or her.’
Grace Kenganzi, who works at the Personal Data Protection office, opines that “As a data subject, the person whose data is being collected, you do have a right to ask the person collecting your information, how they plan to use it, how they are keeping it.”
She adds: “It’s time to pay attention to these terms and conditions because sometimes we are signing away our information. Some of things in the fine print include, I am giving you consent to share my number with your marketing department or a third party, so you can disallow that. And if you realise that an organisation you are using is sharing your information, you can get in touch with them and complain about it and if they don’t take action in 30 days you can complain to our office.”
But in practice, there are concerns that the limits of consent are not clearly defined. The law is vague about when consent expires. Kigozi reveals the implications.
“The Data Protection and Privacy Act, which is against the sharing of information with third parties. It governs citizens, data subjects powered to give consent. So, by sharing that information, you are leaving citizens powerless. They don’t know how their information is being used. They don’t know who is accessing that information. So, it leaves that privacy at stake and their lives at stake.”
John Musiime, a lawyer, argues that consent is not limitless.
“So it cannot be that you collect my data once and therefore have limitless licence, an unrestricted license to do with it as you, please. Certainly, there is a limit and the data subjects must at all times, at every turn must be informed and give full consent to the use of their data.”
These concerns have implications for data protection and individuals’ rights to privacy, especially considering the regular, high-profile data breaches at government agencies, banks and telecoms. Kigozi brings the risks into perspective.
“There are very high chances of misusing that personal data, they have done it before. We have seen them misuse that information during elections, politicians have paid telecoms, and politicians have paid some elements in NIRA to use that information for campaigns. People have been hacked to death. People have been killed. How do they get that information?” Kigozi argues.
He adds: “How sure are we that it’s not elements in there? We have evidence that information is being misused. So, where you have telecoms accessing the national ID register without any privacy impact assessment without information on what they are going to use it for, and without information on what agreements they have signed. I think it will be very important for them to share with us the agreements they are using to share that information.”
Further, it is unclear who is held liable in the event of such breaches.
Kenganzi says: “So who we hold responsible is the source of the breach. So, when we receive complaints, we investigate. In investigating we find out who is behind the breach. If it is a person in our register there is usually the contact information of their data protection officer, we start from there by tracing where the breach happened. And we work with police to trace this breach and action is taken. Most of these cases are under investigation.”
In the digital age, data is currency and holds an intrinsic value. As such governments, banks, telecoms, and technology firms such as Google and Facebook—which rely on algorithms to build a digital footprint— are incentivised to collect more personal data from customers, citizens and clients.
In certain circumstances which the law describes vaguely as scenarios where access is required in regard to ‘national security interest’ which is narrowly defined or in the public licensing interest and in the interest of public order, your national data can be accessed without your consent. What is the ambit of data accessibility based for instance on national security interest and what test must be applied to establish a legitimate concern of this nature?
For advocates of data privacy, this prompts concern given that government agencies have typically not been held accountable for abuses including violations of privacy, which has also led to the clampdown of civil liberties by those perceived as political rivals, human rights defenders and journalists among others.
The case of Ugandan journalist, Lawrence Kitatta, who went into hiding after being assaulted on account of police surveillance, is instructive.
Kitatta whose data appears to have been breached to aid his arrest recounted to the Committee for the Protection of Journalists, how he was trailed by plain-clothed security personnel on a motorcycle who hounded him at home and his workplace as a result of a data breach.
Given the deteriorating human rights regime and growing intolerance of political dissent, declining media freedom and rising impunity, there are concerns that mass surveillance will severely curtail individual freedoms including the right to privacy.
Musiime says there is a need to engage in public interest litigation to address these concerns.
“The idea is that the government is powerful and can do anything. You know they say, power corrupts and absolute power corrupts absolutely. So how we guard this is by putting in the law parameters that limit the people that can do things, so they don’t do things simply because they can do them. There needs to be guardrails. Certainly, I would be surprised if there is an interpretation that says once they collect that data, they can use it [at their own discretion].”
“We do audits and some of them [telecoms] have invited us to do personal data protection audits to see how they are doing. We appreciate their cooperation with our office. Whether we are satisfied I cannot answer that until we have done the audit. When we do the annual audit that is when we can see whether they are good or satisfactory,” Kenganzi revealed to Monitor.
For its part, NIRA is advocating for mass enrollment for the national identity card as part of digitising the national identity infrastructure and addressing pervasive identity fraud.
Experts opine that access to data can be a double-edged sword. For instance, in the recent case, the backup repository helped commercial banks fend off a ransom from hackers.
Yet if this data is not carefully stored, it can be accessed and manipulated by firms such as the disgraced UK political consultancy, Cambridge Analytica involved in the manipulation of the presidential election in the neighbouring Kenyan state in 2013 and 2017.
The consequences of such breaches can be dire as was the case of Chris Msando, the Kenya Independent Electoral & Boundaries Commission ICT manager, who was strangled to death.
Allan Kigozi, a data protection and privacy advocate: The access by telecoms to the national register for ID is very disastrous, and worrying, because telecoms collect the names of people, their location … If combined with the biometrics of the national ID that makes it very dangerous … telecoms have a history of misusing personal data.
Grace Kenganzi from Personal Data Protection office: As a data subject, the person whose data is being collected, you do have a right to ask the person collecting your information, how they plan to use it, how they are keeping it.
John Musiime, lawyer: So, it cannot be that you collect my data once and therefore have limitless licence, an unrestricted license to do with it as you, please. Certainly, there is a limit and the data subjects must at all times, at every turn must be informed and give full consent to the use of their data.”
What is cybercrime?
Cybercrime is a type of crime involving a computer or a computer network. The computer may have been used in committing the crime, or it may be the target. Cybercrime may harm someone’s security or finances.
Internationally, both state and non-state actors engage in cybercrimes, including espionage, financial theft, and other cross-border crimes. Cybercrimes crossing international borders and involving the actions of at least one nation-state are sometimes referred to as cyberwarfare.