Nigeria: Unraveling The Nexus: The Role Of Cyberattacks In Data Breach Incidents In Nigeria

Sandra Eke¹ Franklin Okoro²

1. INTRODUCTION

In recent years, Nigeria has witnessed a surge in data breach incidents, with cyberattacks playing a pivotal role in compromising the security of sensitive information.³ In the digital age, the prevalence of cyber threats necessitates a comprehensive strategy to safeguard individuals, organizations, and nations. Mitigating cyber-attacks requires a multifaceted approach encompassing technological, organizational, educational and institutional measures to reduce the occurrence of data breach incidents in Nigeria. This article delves into the complex interplay between cyberattacks and data breaches in Nigeria, exploring the factors contributing to this alarming trend and the imperative for robust cybersecurity and data protection measures.

2. UNDERSTANDING CYBER-ATTACKS AND PERSONAL DATA BREACHES

Although the term "cyberattack" and "personal data breach" are often used interchangeably, it is paramount to note that not all cyberattacks involve personal data breaches and not all data breaches occur as a result of cyberattacks.⁴ Cyberattacks involve any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself,⁵ while personal data breaches involve the breach of security of personal data leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.⁶ It is noteworthy that a number of personal data breach incidents occur as a result of a cyber-criminal activity.

3. LEGAL FRAMEWORK

Nigeria has taken steps to address cybercrime through legislation. The Cybercrime (Prohibition, Prevention, etc.) Act⁷ serves as a principal legal framework to combat various forms of cybercrimes, including hacking, identity theft, phishing, denial of service attacks etc. The law provides law enforcement agencies with the tools needed to investigate and prosecute cybercriminals. Also, Nigeria Data Protection Act (NDPA) was enacted to promote data processing practices that safeguard the security of personal data and privacy of data subjects.⁸ In addition to these statutes, there are other legislative and regulatory instruments that address the monitoring, detection, prevention, mitigation and management of data breach incidents in Nigeria. They include: The Nigeria Data Protection Regulation, 2019 ("NDPR"), Nigeria Data Protection Regulation Implementation Framework, 2020, the Advance Fee Fraud and other Related Offences Act (2006),⁹ Terrorism (Prevention and Prohibition) Act, 2022,¹⁰ NCC Guidelines for the Provision of Internet Service,¹¹ Risk-Based Cybersecurity Framework and Guidelines for Other Financial Institutions, 2022.¹²

4. COMMON CYBERATTACKS THAT HAVE LED TO DATA BREACH INCIDENTS

4.1 Hacking

This involves compromising digital devices and networks through unauthorized access to an account or computer system.¹³ Under the Cybercrimes Act, it is unlawful for any person to intentionally access a computer system in whole or in part, for fraudulent purpose in order to obtain data vital to national security.¹⁴ Also it is considered an offence under the Act for any person or organisation to knowingly and intentionally traffic in any password or similar information through which a computer may be accessed without lawful authority, especially if such trafficking affects public, private and or individual interest within or outside the federation of Nigeria.¹⁵ An example of this type of cyberthreat that led to a data breach incident was the attack on the MoMo Payment Service Bank, a financial services subsidiary of MTN Nigeria, a telecoms multinational giant. In this case, the company's systems were allegedly hacked by cybercriminals who gained access to multiple accounts of individuals causing the company to suffer losses worth $53 million from 700,000 unauthorized transfers to about 8,000 accounts spread across 18 Nigerian commercial banks.¹⁶ Similarly, in 2022, a renowned Fintech Company and digital marketplace in Nigeria, Patricia, was reported to have suffered a cyberattack that led to its loss of about $2 million.¹⁷ This incident was said to have occurred as a result of a hacking incident on some of the company's trading platforms.¹⁸ Another example of a hacking incident that led to a significant data breach occurrence was the attack on a software vendor called SolarWinds in 2020. In this case, Russian state actors executed a supply chain attack by hacking the software vendor and covertly distributing malware to its customers.¹⁹ This enabled some Russian spies to gain access to the confidential information of various U.S. government agencies using SolarWinds' services, including the Treasury, Justice, and State Departments.²⁰

4.2 Phishing

Phishing attacks remain a prevalent method for initiating data breaches. Cybercriminals use deceptive emails, messages, or fake websites to trick individuals into divulging confidential information, providing an entry point for unauthorized access.²¹ Under the Cybercrimes Act, it is an offence for any person to engage in computer phishing knowingly or intentionally.²² It is unlawful to engage in the criminal and fraudulent process of attempting to acquire sensitive information like usernames, passwords and credit card details, by masquerading as a trustworthy entity in electronic communication through emails or instant messaging, such as a text message from what appears to be from your bank asking a user to change his or her password or to reveal his or her identity so that such information can later be used to defraud the user.²³ An example of a phishing attack that led to a data breach incident was the attack on a renowned video game publisher known for games like Call of Duty and World of Warcraft. The data breach incident occurred in December 2022 but only surfaced in February 2023.²⁴ The cybercriminals gained access to the company's internal systems through an SMS phishing attack on a targeted employee who worked in the Human Resources department of the company and had access to a significant amount of sensitive employee information.²⁵ The cybercriminals were able to obtain sensitive employee information, such as full names, email addresses, phone numbers, and financial data like salaries, work locations, and more.²⁶ In the same vein, a noteworthy local cyberattack/data breach in form of a business email compromise, was allegedly perpetrated by a couple.²⁷ The attack was achieved through the unauthorized access of a company's email account/website, making it possible for the cybercriminals to carryout slight variations to the legitimate email address of the company in order to deceive the victim into thinking the fake accounts were authentic.²⁸ The cybercriminals also sent spear phishing emails to the company to gain access to its accounts, calendars and data, resulting in the diversion of large sums of money from the company amounting to over N51 million Naira.²⁹

4.3 Identity theft

Identity theft cyber-attacks involve the unauthorized access, use, or manipulation of personal information to impersonate an individual for fraudulent purposes typically for economic gain.³⁰ Section 22 (1) of the Cybercrimes Act makes its an offence for any person who is engaged in the services of any financial institution and, as a result of acquired special knowledge, commits identity theft of an employer, staff, service providers and consultants with the intent to defraud. Furthermore, Under Section 22 (2) – (3) of the Act, it is an offence for any person to fraudulently or dishonestly make use of the electronic signature, password, or any other unique identification feature of any other person; fraudulently impersonate another entity or person, living or dead, with intent to gain advantage for himself or another person.

4.4 Ransomware and Malware attacks

Cybercriminals could gain access to a target network by exploiting weaknesses in the IT infrastructure of an organization, like its website, operating systems, endpoints, and commonly used software like Microsoft Office or web browsers.³¹ Once hackers identify a vulnerability, they often utilize the opportunity to inject malware into the network. This malware could necessitate a ransomware attack designed to deny a user or organization access to files on their computer usually by encrypting these files and demanding a ransom payment for the decryption key.³²

A notable ransomware attack was the recent attack on a popular sports betting company in Nigeria, Bet9Ja. The company suffered a cyber-attack that rendered its platform inaccessible to users, who were blocked out of accessing their accounts and placing bets on the platform.³³ The cybercriminals were demanding for a ransom payment from the company, if it wanted to regain access to its website.³⁴

5. ACTIONS DATA CONTROLLERS/PROCESSORS CAN TAKE TO REDUCE THE OCCURRENCE OF CYBERATTACKS AND DATA BREACH INCIDENTS

5.1 Improvement of Technical Security Measures

Inadequate cybersecurity infrastructure and awareness contribute to the success of cyberattacks. Many organizations face challenges in implementing robust security measures, leaving them vulnerable to exploitation by cybercriminals seeking weak points. To combat the role of cyberattacks in data breaches, there must be sustained investment in cybersecurity resilience.³⁵ This includes upgrading security technology tools, conducting periodic risk assessments, and fostering a culture of cybersecurity within an organization.³⁶ Other technical measures that could be adopted in an organisation include, pseudonymisation or other methods of de-identification of personal data, use of firewalls and encryption technologies, regular testing, assessing, and evaluation of the effectiveness of the measures implemented against current and evolving risks identified etc.³⁷

5.2 Improvement of Organizational Security Measures

Data breaches are not solely orchestrated from external sources; insider threats and employee negligence also play a key role. Whether intentional or accidental, the compromise of sensitive information from within organizations remains a pertinent concern. Thus, companies could adopt robust organisational measures to reduce occurrences of cyberattacks and data breaches. These measures include, adoption of data protection policies, access control policies, conducting due diligence on vendors to assess their security practices before engaging them, regularly backing up critical data to facilitate quick recovery in case of a data breach, implementing thorough offboarding procedures to revoke access for departing employees, restricting physical access to data centres, servers, and critical infrastructure etc.³⁸

5.3 Appointment of a Data Protection Compliance Organisation (DPCO)

DPCOs are licensed organisations in Nigeria possessing expert knowledge on data breach incident management and provision of guidance on the data protection compliance requirements required of an organisation involved in data processing.³⁹ They could assist an organisation prevent data breach occurrences by conducting a comprehensive audit of their systems and data protection practices, and draw up a remedial plan for identified areas within their systems which are prone to cyberattacks and data breaches.⁴⁰

5.4 Regular Training and Increased Awareness

Increasing awareness about cybersecurity risks is pivotal. Educating individuals and organizations on recognizing and mitigating cyber threats can serve as a proactive measure against falling victim to data breaches. Thus, organisations are expected to undertake and conduct regular trainings for their employees and contractors to reduce the materialization of cyberattacks and data breaches. A DPCO or legal professional with adequate expertise in data protection compliances, could be engaged to conduct these trainings, in the absence of an internal expert within the company.

6. CONCLUSION

As Nigeria navigates the intricate landscape of data breaches, addressing the role of cyberattacks is paramount. A concerted effort involving government initiatives, private sector commitment, and individual vigilance is necessary to fortify the nation's cybersecurity defenses and protect against the pervasive threat of data breaches. The fight against cyber threats requires continuous and proactive efforts. Thus, by combining improved technical measures, organizational preparedness, and individual awareness, organisations can create a resilient defense against the evolving landscape of cyber-attacks and data breaches in Nigeria.

Footnotes

1. Sandra Eke, Associate, Intellectual Property and Technology Department, SPA Ajibade & Co, Lagos, Nigeria.

[2] Franklin Okoro, Associate, Intellectual Property and Technology Department, SPA Ajibade & Co, Lagos, Nigeria.

3. TechCabal, "Nigeria is witnessing a disturbing surge in data breaches" available at: https://techcabal.com/2023/05/23/nigeria-is-witnessing-a-disturbing-surge-in-data-breaches/ accessed 19^th December 2023.

4. IBM, "What is a data breach?" available at: https://www.ibm.com/topics/data-breach accessed 19^th December 2023.

5. NIST Computer Security Resource Centre, "Cyberattack" available at: https://csrc.nist.gov/glossary/term/cyber_attack accessed 20^th December 2023.

6. See, Section 65 the Nigeria Data Protection Act (NDPA) 2023, Gazette No.119, Vol. 110 (^1st July 2023).

7. The Cybercrime (Prohibition, Prevention, etc.) Act of 2015.

8. See, Section 1 (1)(c) NDPA.

9. Cap A6 LFN 2004.

10. Gazette No. 91, Vol 91 (16^th May 2022).

11. NCC, "Guidelines for the Provision of Internet Service" available at: https://ncc.gov.ng/docman-main/legal-regulatory/guidelines/62-guidelines-for-the-provision-of-internet-service/file accessed 29th December 2023.

12. CBN, "Risk-Based Cybersecurity Framework and Guidelines for Other Financial Institutions" available at: https://www.cbn.gov.ng/Out/2022/OFISD/Letter%20to%20all%20OFIs%20Issuance%20of%20RiskBased%20Cybersecurity%20Framework%20and%20Guidelines%20for%20Other%20Financial%20Institutions.pdf accessed 29^th December 2023.

13. Fortinet, "What is Hacking: Types of Hacking & More" available at: https://www.fortinet.com/resources/cyberglossary/what-is-hacking accessed 18^th December 2023.

14. See, Section 6 of the Cybercrimes Act.

15. Ibid.

16. Quartz, "MTN's mobile money push into Nigeria was hacked for millions within days" available at: https://qz.com/amazon-kuiper-broadband-satellites-1851095971 accessed 24^th December 2023.

17. TechCabal, "Patricia's newly reported hack happened in 2022 and cost the company $2 million" available at: https://techcabal.com/2023/05/27/patricia-loses-2m-to-hack/ accessed 27^th December 2023. In the same vein, a cyberattack/data breach incident was uncovered by operatives of the Special Fraud Unit, Ikoyi, leading to the arrest of, Salau Abdulmalik Femi, the Kingpin of a syndicate that specializes in hacking into the Servers of Banks and corporate agencies. The hacker was arrested after he hacked the Flex-Cube Universal Banking System (FCUBS) of a First-Generation Bank. With the use of an application software, he created fictitious credits totaling One Billion, Eight Hundred Thousand Naira (N1,868,900,000.00) on the accounts of three (3) of the Bank's customers and successfully consummated debits (outflows) amounting to Four Hundred and Seventeen Million, Five Hundred and Forty-Two Thousand Naira (N417,542,000.00) through Internet Banking transfers to other Banks. See, Special Fraud Unit, "SFU ARREST BANK HACKER OVER N1.87 BILLION FRAUD" available at: https://www.specialfraudunit.org.ng/en/?p=1186 accessed 27^th December 2023.

18. Ibid.

19. IBM, "What is a data breach?" available at: https://www.ibm.com/topics/data-breach accessed 19^th December 2023.

20. Ibid.

21. IBM, "What is Phishing" available at: https://www.ibm.com/topics/phishing accessed 20^th December 2023.

22. Section 32 of the Cybercrimes Act.

23. Ibid.

24. NordLayer, "Breakdown of the 11 most significant 2023 data breaches" available at: https://nordlayer.com/blog/data-breaches-in-2023/ accessed 18^th December 2023.

25. Ibid.

26. Ibid.

27. Special Fraud Unit, "Business Email Compromise (Bec): PSFU arrests Husband, Wife for Cyber Fraud involving over Fifty-One Million Naira" available at: https://www.specialfraudunit.org.ng/en/?p=1325 accessed 27^th December 2023.

28. Ibid.

29. Ibid.

30. Criminal Division, US Department of Justice, "Identity Theft" available at: https://www.justice.gov/criminal/criminal-fraud/identity-theft/identity-theft-and-identity-fraud accessed 19^th December 2023.

31. IBM, "What is a data breach?" available at: https://www.ibm.com/topics/data-breach accessed 19^th December 2023.

32. CheckPoint, "What is Ransomware?" available at: https://www.checkpoint.com/cyber-hub/threat-prevention/ransomware/ accessed 20^th December 2023.

33. Techpadi, "Bet9ja suffers cyber-attack from Russian-linked hacking group" available at: https://techpadi.africa/2022/04/bet9ja-suffers-cyber-attack-from-russian-linked-hacking-group/ accessed 20^th December 2023.

34. Ibid.

35. IT Governance, "What is Cyber resilience" available at: https://www.itgovernance.co.uk/cyber-resilience accessed 19^th December 2023.

36. Ibid.

37. Section 39(2) NDPA.

38. Infortrend, "Technical & Organisational Measures" available at: https://www.infortrend.com/us/about/tom accessed 20^th December 2023.

39. See, Sandra Eke, "5 Steps To Take When Faced With A Data Breach Incident" available at: https://www.mondaq.com/nigeria/privacy-protection/1159070/5-steps-to-take-when-faced-with-a-data-breach-incident accessed 20^th December 2023.

40. Ibid.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.