Unity Bank and Access Bank deny hacking claims

On August 25, Bank Security, a Twitter handle focused on bank security threats, reported that the database of Unity Bank, a Nigerian commercial bank, was being shared online on hacker forums.

One hacker claimed they had shared “only small dump” from the bank, and said “bigger dumps coming [sic] soon”. 

At least three other hacker forums have since reportedly shared the same database, according to Bank Security.

TechCabal sent two emails to Unity Bank following the alleged breach but got no response.

Now, after more than seven days since the original tweet from Bank Security, the bank has finally issued a statement. However, in its statement, the bank did not explicitly deny the breach or dismiss the associated data.

“Our attention has been drawn to social media reports purporting a data breach of our systems,” Unity Bank said.

“For the avoidance of doubt, Unity Bank wishes to reassure all customers that we take the protection of their personal information very seriously in accordance with data protection legislation.

“The Bank hereby reassures its customers and the public at large, of the integrity of its systems, controls of which are continually enhanced in line with best practices, to forestall attempts at compromising confidential data.”

What the breach revealed

Bank Security, which was the first to disclose the alleged breach said it was a database file “containing PII data of over 53k customers.” But on close examination of the SQL script and data posted online, the data is not customer information but recruitment data from a possible past enrollment exercise. However, this does not mean the data leak is any less serious.

The leaked data included people’s names, house addresses, emails, phone numbers and their dates of birth. In the wrong hands, this could be dangerous.

The alleged breach of Unity Bank’s database comes at a time when cybersecurity is becoming a rising topic in Nigeria.

In the last few weeks, there have been at least three reported breaches. In July, Till Kottman, a Swiss-based IT consultant, compiled a list of 50 companies whose source code had been exposed online. Nigerian fintech, TeamApt was among the listed companies.

TeamApt didn’t respond to TechCabal’s request for comments at the time. But Tosin Eniolorunda, CEO of TeamApt, played down the breach. According to Business Day, he said the breach was discovered on July 26 from a code analysis tool and claimed only a snapshot of code was exposed.

“This tool is used by the engineering team to scan for vulnerabilities and bugs in our source codes before shipping them,” Eniolorunda told Business Day. “As the tool also keeps a snapshot of the most recently scanned lines of codes, the attackers exploited a vulnerability in this tool which allows users with unauthorised access to scrape recently scanned lines of codes. These code snapshots were what the attackers were able to access.”

Alleged breach of Access Bank

After TeamApt and Unity Bank, a third cybersecurity issue has emerged. On August 31, an overconfident hacker, Ihebuzo Chris, claimed to have stumbled upon sensitive customer data of Access Bank. While claiming he wanted the bank to up their security, Chris printed out hundreds of customer information. In a careless video posted on Twitter, Chris exposed his name.

Access Bank, using a similar boilerplate as Unity Bank, has since dismissed that “attack”.

“Our attention has been drawn to some social media reports claiming a data breach of our systems,” Amaechi Okobi, Access Bank’s Head of Corporate Communications said. “Access Bank herewith confirms that there is no cause for alarm. We would like to reassure all our stakeholders and the general public of the security and integrity of our banking platforms which at this time are the best-in-class.”

Speaking with TechCabal, an executive at one of Nigeria’s biggest fintechs explained that very few Nigerian companies would actually admit publicly when a breach has happened.

Cybersecurity is becoming a big concern in Nigeria as the adoption of online and digital services increases. Users are becoming increasingly concerned about how data is handled and whether or not their data will not fall into the hands of malicious users.

Sometimes this concern is misplaced. For instance, many bank customers still exaggerate the importance of their Bank Verification Number (BVN). They believe in the wrong hands, it could be used to make unauthorised transactions from bank accounts linked to their BVN number.

But in reality, the BVN cannot be used for such purpose since it is merely a means of identification, not authorisation. But fraudsters could use the BVN to impersonate bank staff and obtain authorisation information to users’ bank accounts.

While BVN worries are misplaced, other data concerns are valid. One example is the recent release of the NIMC MobileID app. Paired with the National Identity database, the app is supposed to allow Nigerians to view their National Identity information and use the digital ID for verification in cases where they have not been issued physical cards.

Following its release, the app displayed the wrong identity details for some users, exposing sensitive information to the wrong people. Nigerian made complaints on social media and on the app store. The NIMC responded to the complaints, claiming the app “is yet to be officially approved for public consumption.”

Companies and institutions need to take serious responsibility for users’ digital data as internet adoption increases.

Read this next
Partner, Uncategorized
15th August 2020

Write for Innovation: FITC invites young Africans to participate in Essay Challenge FITC Essay Challenge seeks to reward young African undergraduates Participate in FITC Youth Connect Essay Challenge FITC, the world-class, innovation-led and technology-driven knowledge organization that provides learning and advisory services to Financial Institutions and other sectors in Africa, has launched the FITC Youth […]

More From TC
News, Policy
21st January 2021

Following the order from the Nigerian Communication Commission (NCC) to suspend mobile numbers of people without a National Identity Number (NIN), there has been a rapid increase in the number of people obtaining their NINs.  Between December 15th, 2020 when the order was given and the second deadline date, January 19th, 2021, Nigerian mobile operators […]

Seun* is a 55-year-old teacher who uses Opera News to stay informed on current events.  She says she just found it on her phone and started using it. Her tech-savvy teenage son, who is listening to our conversation, confirms that it came pre-installed on her android device.  She later complains that she’s tired of mostly […]

fintech_2021_techcabal

The BackEnd explores the product development process in African tech. We take you into the minds of those who conceived, designed and built the product; highlighting product uniqueness, user behaviour assumptions and challenges during the product cycle. — In its 2020 African tech startups funding report, Disrupt Africa identifies 99 fintech companies across 11 countries […]

biden_africa_investment

The new US president will begin dismantling his predecessor’s legacy from Day 1, but may need one holdover to influence Africa. In January 2020, Nigerian healthcare startup LifeBank became the first company to receive investment under a new maternal care initiative introduced by the US International Development Finance Corporation (DFC). LifeBank’s 24/7 blood supply business […]


TechCabal is a Big Cabal Media brand



Copyright © 2013 - 2021
All rights reserved

Privacy & Terms
X