View profile

Your data has been leaked

June 26 · Issue #35 · View online
iAfrikan Daily Brief
About 4 to 5 years ago it used to be that you’d only hear of a data breach (or leak) a handful of times a year. However, these days, a few days barely go past without a new data breach or data leak being reported. The frequency is of data breaches and leaks is not just increasing in first world countries, but in Africa too.

There are several reasons that the increase can be attributed to, however I think there are two key things that play an important role. Firstly, Internet penetration is increasing as well as the proliferation of smartphones. This leads to companies making their services and whatever they sell available online, which means the collection of customer data. The second key issue is that, especially for big corporations, they tend to have legacy information systems that were not initially designed to be exposed publicly to customers via the Internet. As such, such systems security can be found wanting. On the other hand you have startups who follow the mantra of move fast and break things where information security is seldom part of the product development process, but an afterthought.
Bob Collymore, CEO of Safaricom, is facing an unprecedented moment as for the first time not only in his tenure as CEO, but also for the first time in Kenya, a company (Safaricom) is being sued for leaking customer data.
The above, along with other factors, lay a fertile ground for data breaches and leaks. More often than not (as we have also observed at iAfikan), it is not so much malicious hackers lurking around and devising genius plans to crack a company’s systems but a company’s negligence that leads to most data breaches and leaks.

Never attribute to malice that which is adequately explained by stupidity. 

Take for instance the 2016 case of KCB Group’s banking app in Kenya where, after a tip-off from a hacker in Burundi, we discovered and were able to replicate the results of a bug in their banking app which allowed for the extraction of over 500,000 customers personal details, all through the customer facing app. This was a case of bad security practices as the app, if you knew where to look, allowed you run an SQL query pullin customer data off the KCB Group database.

The latest case in Kenya is an interesting one. It involves the country’s largest telecommunications company, Safaricom. The details, thanks to Benedict Kabugi filing a lawsuit against Safaricom for violating customers privacy, are that there’s a database of 11,5 million Safaricom customers that contains all their contact details as well as mobile device types, location data, gender, age, identity numbers, passport numbers, and transactions history on all sports bets they have placed. It is not clear so far how the database got leaked but having scoured all the usual places where we typically can hear and get information on any hacking group selling the data or claiming responsibility, there is a high probability that this is another case of either poor information security practices or a staff member. Even if it is a staff member that leaked the database, it still counts as negligence as no one person inside such a large organization as Safaricom should have access to all customer data. Good data storage practices dictate that data must only be made available on an on-demand basis for a specific use case.

Unfortunately, for the reasons stated at beginning, I do not see data breaches and leaks slowing down but incidents increasing.

But, what does this all mean for for the inevitable time that’s coming when your data has been leaked?

Firstly, limit the amount of crucial or personally identifying data that you leave on various apps and online platforms. Secondly, try, if possible, not to use the same e-mail address for every app and platform, at best, use a different e-mail address for each app and platform you sign-up to as this ensures that, in the case your data is leaked, the e-mail address leaked is not linked to any other of your online accounts thus reducing your exposure to the risk of your other accounts being accessed without your knowledge or permission. The same logic applies to passwords, do not use a password more than on one app or platform (and no, changing a character in the password doesn’t count), the best way to ensure you have strong and unique passwords for each platform you sign up to is to use a password manager such as 1Password.

Also useful is to sign up to haveibeenpwned, it’s a great platform that will alert you if any e-mail address you register to receive notifications for has ever been in a data breach or leak.

Stay safe out there in the www (wild wild web).
🚐 A few years ago, the government of Kenya legislated for a cashless public transport system for which they recruited some Big Tech companies to assist with. Needless to say, the initiative failed dismally. Link

⚖️ In what is an unprecedented lawsuit in Kenya, Safaricom is being sued for an alleged data leak. Benedict Kabugi, a Safaricom customer, is has filed a lawsuit against the company for apparently having the personal data of customers leaked. Link

🌐 Despite Big Tech invading and abusing our privacy, A third generation of web technology might offer a way to change things. Link

⚙️ Gearbox, a hardware accelerator in Kenya, provides space, expertise and helps startups with seeking funding. It was founded by a Kenyan engineer, Kamau Gachigi. Link
Did you enjoy this issue?
If you don't want these updates anymore, please unsubscribe here
If you were forwarded this newsletter and you like it, you can subscribe here
Powered by Revue