PwC Nigeria tech bootcamp IDs exposed

Participants in PricewaterhouseCooper’s (PwC) Nigeria Tech Talent Bootcamp are at risk of identity theft after private data was leaked from a misconfigured Amazon Web Services account, a Cybernews investigation reveals.

On July 21st, a routine check using open-source intelligence (OSINT) methods conducted by the Cybernews research team revealed a misconfigured Amazon AWS bucket.

The bucket containing nearly 25,000 sensitive PwC Nigeria files has been attributed to a third-party vendor, Xerde Tech.

AWS bucket is a cloud-based digital storage container for storing files and data, and it can be accessed from anywhere with an internet connection.

The PwC Bootcamp event took place in 2022, a six-week program aimed at individuals aged 18 to 30 in Lagos, Nigeria. Therefore, it is quite possible that the data was exposed for an extended period of time.

The 24,668 exposed files include:

  • Copies of passports/government-issued IDs
  • Resumes with phone numbers, home and email addresses, and other private information
  • Copies of degree/university certificates
PwC Nigeria Tech Talent Bootcamp

PwC is the world's second-largest accounting and services company, with a presence in 152 countries and over 327,000 employees. PwC’s Nigeria office has been operating since 1953. And Xerde is a Lagos-based technology development company.

PwC was also among the victims of the MOVEit attack earlier this year. The Cl0p ransom gang released data belonging to the company, in 11 batches on the dark web and four on the publicly accessible clear web.

Cybernews reached out to PwC Nigeria, and the company resolved the issue, though it had not commented at the time of writing.

User caution is advised

The main risks associated with leaked passport details and other sensitive information are as follows:

Identity theft – When IDs get leaked, valuable personal data can be exploited to commit identity theft. In addition, resumes contain personal details like home address and phone number. If all these end up in the wrong hands, they might be used for identity theft or other nefarious purposes.

Financial fraud – Individuals with exposed IDs may become a target of fraud, in which unlawful transactions or loans are made in their name, resulting in financial losses and credit score damage.

Spear phishing and scam – Criminals may exploit leaked passport information to create sophisticated phishing campaigns or social engineering attacks on impacted individuals. Exposed data of job seekers exposes them to the danger of being targeted by fraudulent recruitment organizations. This would be pretty simple since fraudsters would already have sufficient details about potential victims to disguise their intended scam as appealing job opportunities.

The bootcamp contest participants should consider contacting the authorities responsible for issuing new IDs, passports, or other documents and invalidating the exposed ones.

Researchers advise that individuals should exercise caution when encountering unprompted messages that contain their personal details. They recommend periodically reviewing email accounts, credit reports, and bank statements for any unfamiliar activity or newly opened accounts that could suggest identity theft has occurred using stolen personal information.

Keeping an eye on your financial documents and correspondence can help identify misuse of private identifiers at the early stage. Individuals can also consider changing their phone numbers or email addresses for added safety, but the golden rules include using strong passwords, multi-factor authentication (2FA), and avoiding opening suspicious emails or clicking on email attachments or links.

Companies should keep data encrypted

The lesson from this incident is that companies should be careful when setting the AWS bucket’s access settings. Also, Cybernews researchers recommend that they secure sensitive data using AWS’s server-side encryption, such as KMS or AWS s3-managed keys.

Best cybersecurity practices include regular audits, automated security checks, and employee training.

“Monitor access logs retrospectively to determine whether third parties have accessed data within the bucket. If confirmed that the bucket has been breached, inform Data Protection Authorities and the affected individuals,” Cybernews researchers said.