On August 25, Bank Security, a Twitter handle focused on bank security threats, reported that the database of Unity Bank, a Nigerian commercial bank, was being shared online on hacker forums.
One hacker claimed they had shared “only small dump” from the bank, and said “bigger dumps coming [sic] soon”.
At least three other hacker forums have since reportedly shared the same database, according to Bank Security.
TechCabal sent two emails to Unity Bank following the alleged breach but got no response.
Now, after more than seven days since the original tweet from Bank Security, the bank has finally issued a statement. However, in its statement, the bank did not explicitly deny the breach or dismiss the associated data.
“Our attention has been drawn to social media reports purporting a data breach of our systems,” Unity Bank said.
“For the avoidance of doubt, Unity Bank wishes to reassure all customers that we take the protection of their personal information very seriously in accordance with data protection legislation.
“The Bank hereby reassures its customers and the public at large, of the integrity of its systems, controls of which are continually enhanced in line with best practices, to forestall attempts at compromising confidential data.”
What the breach revealed
Bank Security, which was the first to disclose the alleged breach said it was a database file “containing PII data of over 53k customers.” But on close examination of the SQL script and data posted online, the data is not customer information but recruitment data from a possible past enrollment exercise. However, this does not mean the data leak is any less serious.
The leaked data included people’s names, house addresses, emails, phone numbers and their dates of birth. In the wrong hands, this could be dangerous.
The alleged breach of Unity Bank’s database comes at a time when cybersecurity is becoming a rising topic in Nigeria.
In the last few weeks, there have been at least three reported breaches. In July, Till Kottman, a Swiss-based IT consultant, compiled a list of 50 companies whose source code had been exposed online. Nigerian fintech, TeamApt was among the listed companies.
TeamApt didn’t respond to TechCabal’s request for comments at the time. But Tosin Eniolorunda, CEO of TeamApt, played down the breach. According to Business Day, he said the breach was discovered on July 26 from a code analysis tool and claimed only a snapshot of code was exposed.
“This tool is used by the engineering team to scan for vulnerabilities and bugs in our source codes before shipping them,” Eniolorunda told Business Day. “As the tool also keeps a snapshot of the most recently scanned lines of codes, the attackers exploited a vulnerability in this tool which allows users with unauthorised access to scrape recently scanned lines of codes. These code snapshots were what the attackers were able to access.”
Alleged breach of Access Bank
After TeamApt and Unity Bank, a third cybersecurity issue has emerged. On August 31, an overconfident hacker, Ihebuzo Chris, claimed to have stumbled upon sensitive customer data of Access Bank. While claiming he wanted the bank to up their security, Chris printed out hundreds of customer information. In a careless video posted on Twitter, Chris exposed his name.
Access Bank, using a similar boilerplate as Unity Bank, has since dismissed that “attack”.
“Our attention has been drawn to some social media reports claiming a data breach of our systems,” Amaechi Okobi, Access Bank’s Head of Corporate Communications said. “Access Bank herewith confirms that there is no cause for alarm. We would like to reassure all our stakeholders and the general public of the security and integrity of our banking platforms which at this time are the best-in-class.”
Speaking with TechCabal, an executive at one of Nigeria’s biggest fintechs explained that very few Nigerian companies would actually admit publicly when a breach has happened.
Cybersecurity is becoming a big concern in Nigeria as the adoption of online and digital services increases. Users are becoming increasingly concerned about how data is handled and whether or not their data will not fall into the hands of malicious users.
Sometimes this concern is misplaced. For instance, many bank customers still exaggerate the importance of their Bank Verification Number (BVN). They believe in the wrong hands, it could be used to make unauthorised transactions from bank accounts linked to their BVN number.
But in reality, the BVN cannot be used for such purpose since it is merely a means of identification, not authorisation. But fraudsters could use the BVN to impersonate bank staff and obtain authorisation information to users’ bank accounts.
While BVN worries are misplaced, other data concerns are valid. One example is the recent release of the NIMC MobileID app. Paired with the National Identity database, the app is supposed to allow Nigerians to view their National Identity information and use the digital ID for verification in cases where they have not been issued physical cards.
Following its release, the app displayed the wrong identity details for some users, exposing sensitive information to the wrong people. Nigerian made complaints on social media and on the app store. The NIMC responded to the complaints, claiming the app “is yet to be officially approved for public consumption.”
Companies and institutions need to take serious responsibility for users’ digital data as internet adoption increases.
