LESSONS KENYAN ENTITIES SHOULD LEARN FROM MALAWI’S IMMIGRATION DEPARTMENT DATA BREACH
Data Protection: Series 5
It is not in doubt that African countries are experiencing a rapid increase in digitization and use of technology in an effort to accelerate their economic growth. This increase use of technology has come with its own challenges including increased cyberthreats and attacks which now calls for African countries to rethink of their security measures in order to protect their citizens personal Data.
For instance, Between the Months of Late February and early March 2024, Malawi has lost to hackers its passport issuance system and efforts to recover the same seems not to be an easy task. The hackers who are believed to be international have taken over the critical part of Malawi’s Immigration Department and are demanding for a lamb sum of over $ 1million in order to surrender the system back to Malawi government.
As it stands, it appears like Malawi and its Immigration Department has lost all sensitive personal Data of its passport holder citizens to these international hackers. The negative impact of this cyber attack is that the country has not only lost its channel of revenue collection in terms of fee for immigration services but also may part way with a lamb sum demanded by the hackers if at all its IT experts and team will not be able to recover the system. The country is also at the verge of being sued by its Citizens who are the Data subjects affected. It is also reported that a substantial number of technology companies contacted by the Malawi Government for assistance in retrieving the lost system and Data are asking for an exorbitant amount which the government of Malawi is unable to pay.
This situation Malawi has found itself in is a lesson not just to Malawi but also to other African countries including Kenya. Kenya has also been a victim of several unsuccessful cyber attack most recent being the unsuccessful attack to the Government’s eCitizen platform that permits access to all government services through this one platform and another threat to Kenya Airways “the Pride of Africa’s” data base that almost lost some of its clients’ Data to cyber criminals.
It is therefore important for institutions to understand below type of Cyberattacks and take necessary measures to prevent them.
Malware/Spyware
Malware is either a virus, worm or other code-based program that will attack a device, either to steal private information, gain access to systems or for other malicious purposes. Users typically install malware on their devices unknowingly, either through a malicious email, downloading an attachment or through visiting a website with malware.
Spyware on the other hand is a type of malware that spies and collects data from a device without the owner’s knowledge. The data collected through spyware could be used for a targeted cyberattack or might be sold through the dark web.
Phishing, Smishing & Vishing
Phishing is the practice of sending a malicious email that either requests private or sensitive information from someone or installs malware on a person’s device. In phishing, hackers will send you fake emails that have links or attachments to make you think that it is legitimate, and then you either click on the link or open the attachment and they steal your credentials or put malware on your system. Phishing attacks often disguise the displayed name of an email (which is called a friendly name) to confuse users and make them think the email is legitimate or coming from someone they know.
Smishing is conducting this same attack through text and vishing refers to conducting the attack through phone calls or voice mail. In smishing, hackers pretend to be someone the victim knows, such as a business leader or coworker. “You might have an employee who gets a text from their CEO or their manager, and hackers are able to find that information. For instance, they text the person and say, ‘Hey, I’m in a meeting. I can’t talk right now, but I need you to do XYZ.’ For instance, to buy gift cards and send the codes for the gift cards to me or make payment to a specified till etc.
Social Engineering
Social engineering is the process of using psychological manipulation to gain personal information about another person. Attackers use social engineering to gain information about another person they need for a scam. An example of social engineering might be calling the operator of a company to ask for the list of account managers. A social engineer would have to pose as someone who requires this information, or somehow find an excuse for this. This list of managers might then help an attacker gain more sensitive information they require for an attack. Social engineering is usually one step of a more complicated fraud or scheme.
Identity-Based Attacks
Identity-based attacks occur when cybercriminals target your computer system, network, or account to access your personal or medical information, bank details, and login credentials for illegal or malicious activities.
Denial of Service Attacks (DoS)
This is the most common type of attack in business. Denial of service attacks are those meant to shut down a network by flooding it with fraudulent traffic. When malicious traffic floods a network, the website will become inaccessible to legitimate users. Denial of service attacks can be expensive for businesses, as it costs time and money to restore the network.
Take away lessons:
As a result of these increased cyber threats and attacks, it is a wake-up call for all nations, companies, private institutions, government agencies and all other business entities that holder personal data to put in place comprehensive measures to secure personal Data in their custody.
It is also important to note that before you can stop a cyberattack, you have to recognize that it is happening. Note that it is not always easy to detect a cyberattack as attackers are good at hiding their identity and activities. Each organization should consider the following as a way to deal or stop an attack and mitigate its effects so as to enhance security and counter unauthorized access:
- Have an alternative secured storage server as a plan B incase one of your server systems is compromised and you are unable to retrieve it.
- Disconnect internet and disable remote access.
- Mobilize your cybersecurity Response Team and put them on action to stop the attack and recover the compromised data.
- Maintain your firewall settings.
- Install any pending security updates or patches.
- Change all affected and vulnerable passwords immediately.
- Conduct staff awareness, education & training.
- Set up multifactor Authentication procedures.
- Run antivirus scans.
- Set email to Alert you about emails outside of your Company.
- Conduct system audit frequently.
To respond to cyberattacks:
- Identify the threat as soon as you can.
- Involve your technicians and ICT team to contain the breach.
- Encrypt the Data.
- Notify law enforcement and Data Protection Regulator.
- Deal with contingencies such as deleting malware or resetting passwords.
- Ensure you update your cybersecurity policies soon thereafter.
- Assess and repair the damage.
- Communicate with the affected customers or clients.
- Learn from experience- Do a thorough investigation and determine how to change your systems and procedures to ward off future attacks.
It is also important to note that in case of a cyberattack; do not wait, act fast even if you are not sure whether it is an attack or not, secondly do not cover the attack as this might hinder response, investigation and even recovery of lost data and after you have settled from an attack invest in proper infrastructure to be more secured.
At A.O.WANGA ADVOCATES we are happy to assist you in all your Data protection concerns in Kenya. For more info contact us on info@aowangaadvocates.com or +254794600191
All rights reserved for A.O.WANGA ADVOCATES
www.aowangaadvocates.com