Take for instance the 2016 case of KCB Group’s banking app in Kenya where, after a tip-off from a hacker in Burundi, we discovered and were able to replicate the results of a bug in their banking app which allowed for the extraction of over 500,000 customers personal details, all through the customer facing app. This was a case of bad security practices as the app, if you knew where to look, allowed you run an SQL query pullin customer data off the KCB Group database.
The latest case in Kenya is an interesting one. It involves the country’s largest telecommunications company, Safaricom. The details, thanks to Benedict Kabugi filing a lawsuit against Safaricom for violating customers privacy, are that there’s a database of 11,5 million Safaricom customers that contains all their contact details as well as mobile device types, location data, gender, age, identity numbers, passport numbers, and transactions history on all sports bets they have placed. It is not clear so far how the database got leaked but having scoured all the usual places where we typically can hear and get information on any hacking group selling the data or claiming responsibility, there is a high probability that this is another case of either poor information security practices or a staff member. Even if it is a staff member that leaked the database, it still counts as negligence as no one person inside such a large organization as Safaricom should have access to all customer data. Good data storage practices dictate that data must only be made available on an on-demand basis for a specific use case.
Unfortunately, for the reasons stated at beginning, I do not see data breaches and leaks slowing down but incidents increasing.
But, what does this all mean for for the inevitable time that’s coming when your data has been leaked?
Firstly, limit the amount of crucial or personally identifying data that you leave on various apps and online platforms. Secondly, try, if possible, not to use the same e-mail address for every app and platform, at best, use a different e-mail address for each app and platform you sign-up to as this ensures that, in the case your data is leaked, the e-mail address leaked is not linked to any other of your online accounts thus reducing your exposure to the risk of your other accounts being accessed without your knowledge or permission. The same logic applies to passwords, do not use a password more than on one app or platform (and no, changing a character in the password doesn’t count), the best way to ensure you have strong and unique passwords for each platform you sign up to is to use a password manager such as 1Password
Also useful is to sign up to haveibeenpwned
, it’s a great platform that will alert you if any e-mail address you register to receive notifications for has ever been in a data breach or leak.
Stay safe out there in the www (wild wild web).