Nigeria‘s social investment coordination platform accidentally leaked tens of millions of citizens‘ records, exposing everything from home addresses to work backgrounds.
The exposed instance revealed information collected by NASIMS, a platform Nigeria‘s Federal Ministry of Humanitarian Affairs, Disaster Management, and Social Development utilizes to manage and coordinate various social investment programs.
According to the Cybernews research team, the exposed AWS S3 bucket stored over 23 million files, including passports, birth certificates, educational certificates, and N-Power-submitted applications. N-Power is a social welfare scheme to combat youth unemployment. N-Power applicants use the NASIMS platform to apply to take part in the program.
“The implications of exposing 23 million application-related documents of N-Power candidates could be severe for the affected individuals. Identity theft, fraud, and targeted phishing attacks are the most likely risks for the leaks’ victims,” our researchers said.
Worryingly, the instance remains open to the public, even after multiple attempts to reach NASIMS administrators and relevant authorities in Nigeria. We have also reached out to the ministry behind NASIMS for a comment and will update the article once we receive a reply.
What data leaked, and why is it dangerous?
Documents stored on the exposed instance include different sets of citizens’ data. However, the team surmised that the leak revealed:
- Full names
- Dates of birth
- Places of birth
- National Identification Number (NIN)
- Email addresses
- Phone numbers
- Home addresses
- Work background
- Education background
Exposing sensitive and personal data poses numerous threats to the individuals involved. Most pressingly, attackers might utilize the information for identity theft and various fraud schemes. For one, malicious actors could try opening fraudulent bank accounts or use stolen identities for illicit activities, masking their own IDs.
“Another way attackers can exploit similar data sets is by exploiting the identities to access financial services or execute unauthorized transactions, potentially causing long-term financial damage to the victims,” our researchers said.
Cybercrooks could also exploit the leak to carry out targeted phishing and social engineering attacks. For example, malicious actors could attempt to masquerade as legitimate organizations in order to deceive individuals into providing even more sensitive data – such as login credentials – or downloading malware.
“The implications of exposing 23 million application-related documents of N-Power candidates could be severe for the affected individuals. Identity theft, fraud, and targeted phishing attacks are the most likely risks for the leaks’ victims.”
The leaks’ nature empowers attackers to craft spear-phishing attacks custom-made for each individual or group of individuals. Such attacks are hard to distinguish, as they often include targets’ personal details and other data points meant to lure in unsuspecting victims.
“Criminals could use the exposed data to offer fake job opportunities or promise assistance with the N-Power application process in exchange for payments or additional personal information, exploiting the candidates' vulnerabilities,” the team explained.
Additional attack vectors involve risks to victims’ physical safety. For example, criminals could exploit leaked data to locate and target victims for various malicious purposes, such as stalking, harassment, or even burglary.
To avoid similar leaks in the future, our researchers advise to:
- Change the access controls to restrict public access and secure the bucket. Update permissions to ensure that only authorized users or services have the necessary access.
- Monitor retrospectively access logs to assess whether the bucket has been accessed by unauthorized actors.
- Enable server-side encryption to protect data at rest.
- Use AWS Key Management Service (KMS) to manage encryption keys securely.
- Implement SSL/TLS for data in transit to ensure secure communication.
- Consider implementing security’s best practices, such as regular audits, automated security checks, and employee training.
- Leak discovered: October 20th, 2024
- Initial disclosure: October 23rd, 2024
- CERT contacted: February 6th, 2024
Your email address will not be published. Required fields are markedmarked