Access Bank and Unity Bank alleged data breach: A lesson to Nigerian institutions
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
An interesting development occurred in Nigeria last week. A self-acclaimed Access Bank hacker, one Ihebuzo Chris, posted a video on Twitter where he spoke about the bank’s security vulnerabilities and flipped through pages of A-4 paper containing what he said was the bank’s customers’ sensitive personal information. In a similar vein, a Unity Bank’s hacker boasted on Twitter that he has Unity Bank’s customers’ data which he will share with the public in “dumps”. These hackers’ claims are not yet fully verified, but there are few lessons here.
First, institutions must understand the importance of building a secure data and information management system. To avoid system vulnerabilities, institutions should have rigorous and tested data governance, risk management, and compliance methodologies that not only detect risks but also notify the company’s stakeholders about unwanted intrusions.
Hackers are on the prowl, and they will continue to test the security protocols of various companies both in Nigeria and across the globe. A recent survey reveals that cyber security threats and data privacy issues will gain over fifty per cent increase.
Access Bank and Unity Bank took the first right step by reporting these hackers to the governing authorities. This particular action doesn’t exterminate the existing risk.
The second step, therefore, requires an inward analysis of existing systems and assessing the systems. Building a robust information management system must include data governance, risk, compliance and consistent audit trail. In this particular case, the compliance and risk audits should be their focus.
The amount of information that banks manage is increasing exponentially; the complexity of regulations is growing too. An example of such regulation is the Nigerian Data Protection Regulation (NDPR). Failing to comply with the ever-evolving regulatory policies can lead to fines and reputational damage.
As seen by the recent report on Access Bank and Unity Bank, they gained bad press and thereby, poured dust on their reputation.
A survey carried out by the Association for Information and Image Management claims that over sixty per cent of the information that gets leaked within institutions happens because of the lack of structure in the data management.
The banks must access their data governance structure and find the existing gaps. Another step, if they haven’t done so, is to centralise all data in a single system and capturing where data surfaces in any business unit; that way, they can make governance efficient, seamless and automatic.
This particular system should be intrusion and penetration tested. However, these tests must exist regularly. Carrying out a comprehensive intrusion and penetration test on systems allows companies to identify the vulnerabilities existing within their networks. But, Dr Matt Bishop, a University of California Computer Security Expert, argues that testing of existing systems finds possible flaws in a system and further asserts that failure to find gaps in a plan doesn’t mean that the system is secure. Then, it behoves stakeholders in institutions to always monitor, check and manage their information systems.
Over forty per cent of business executives argue that exposure and loss of personally identifiable information pose the most significant risk to their company. It is paramount, therefore, for the banks to draw lessons from this current event. Document any vulnerability, assess these vulnerabilities and come up with the best possible way to manage or exterminate the vulnerabilities.
All stakeholders of both banks must be on board to protect the institution from litigation costs, compliance risks and reputational damage that might arise from these alleged hacks. At the moment, the National Information Technology Development Agency (NITDA) the Nigerian body, ensuring that companies are compliant with the Nigerian Data Protection Regulation has not made a statement about the alleged breaches. The banks need to, however, take some necessary steps.
Capture all risks existing within their business systems and begin to mitigate those low hanging fruits that might destabilise their business processes.
These banks need an excellent Record of Processing Activities (ROPA) document. ROPA is a living document that the banks can use to document new processors, new activities and monitor other processes within the bank. This way, the banks’ Data Protection Officer or Chief Privacy Officer, covers existing activities, scans them and escalates any issue that might arise within these activities.
We can’t conclude on the intricacies of the Unity and Access Bank alleged hacks. However, executive stakeholders in these banks must begin to test their systems, find existing vulnerabilities and mitigate existing risks. These steps can prevent future penetrations and more importantly, protect the image of their institutions.