Data protection and privacy had arguably its biggest attention in 2018. Many countries took active steps to policing their citizens’ data and holding corporate organisations accountable for abuses. The Facebook-Cambridge Analytica breach was an eye-opener and has since become a subject of regulatory inquisitions that have lasted till the New Year.
While the rest of the world saw it as expedient to address their data vulnerability in the cyber space, in Nigeria as well as in many African countries, data breaches involving big organisations go unaccounted for with dire repercussions for businesses and individuals privacy.
The loud silence that followed the recent Amazon S3 leak of data allegedly belonging to customers of Arik Air in Nigeria is a good example. More than three months after the incident was reported there hasn’t been any regulatory investigation or any serious customer engagement or complaints reported.
On September 6, 2018, Justine Paine, head of trust and safety at Cloudflare, a San Francisco-based cyber security company, while on a normal course of scanning for open, exposed and vulnerable Amazon S3 buckets, discovered a bucket containing a large number of CSV files.
Amazon Simple Storage Service (S3) is storage for the internet designed to make web-scale computing easier for developers. Amazon S3 has a simple web services interface that can be used to store and retrieve any amount of data, at any time, from anywhere on the web.
After review, Paine said he found that the sensitive files belonged to Arik Air.
“After concluding the CSV files were likely owned by Arik Air (or their payment processor) I immediately attempted to make contact with Arik Air to notify them of this data leak,” Paine stated. “To say this process was challenging would be an understatement.”
Inside the S3 bucket were 994 CSV files. Some the files had in excess of 80,000+ rows of data while other files contain 46,000+ rows of data, and in some cases files only contain 3 rows of data. The data points that were leaked include customer email address, customer name, customer’s IP at time of purchase, a hash of the customer’s credit card among other things.
Arik’s Air response is particularly interesting. After a whole month in which it allegedly failed to reply to mails, multiple messages on its corporate Facebook page, and finally making contact with Paine, the airline informed thousands of its followers on social media that it does not use Amazon S3 for its hosting services.
“Our online platforms are up and running and not under attack. Arik Air takes IT security and protection of customer data seriously. We are reviewing all our systems including interface with third party processors to eliminate vulnerabilities,” Arik Air said in the statement. Later versions of the story from unofficial sources alleged that Paine tried to extort money from the airline.
Notwithstanding, why there was no authority to challenge Arik Air’s response is part of the problem with policing data protection in Nigeria. It will be recalled that Nigerian authorities also took no action when Facebook revealed in April, 2018 that nearly 200,000 Nigerians had their data breached by Cambridge Analytica.
First, the Nigerian constitution is not clear on data protection and the agency that should regulate it.
However, the Act that established the National Information Technology Development Agency (NITDA) empowers the agency to “develop guidelines for electronic data interchange and other forms of electronic communication.”
“It is really not surprising that no regulatory action was taken with respect to the alleged data leak,” Enyioma Madubuike, a data protection lawyer and founder of LegitNG told BusinessDay, “We are still centuries away from understanding the import of the issues around data in a digital world. We are not taking it as seriously as I believe we should.”
A quick search on Google on ‘data protection in Nigeria’ shows about 119,000,000 results one of which is a link to ‘Data protection guidelines 2017’ posted by NITDA. However, when one clicks on the link, it is empty.
Madubuike explains that NITDA has draft data protection guidelines which when finalised should be enforceable in this type of instance.
“There are arguments that an earlier guideline released by the agency is enforceable. If that is conceptually true, NITDA does not appear to be interested in enforcing it as it is in the process of providing a revised version,” Madubuike said.
The Agency had in 2013 published the NITDA Guidelines on Data Protection (version 4.0), which prescribed minimum data protection standards for all organisations or persons that control, collect, store or process personal data of Nigerian residents and citizens within and outside Nigeria.
Ngozi Aderibigbe, managing associate at Jackson, Etti & Edu told BusinessDay that NITDA has not shown any willpower to enforcing the data protection standards set out in the NITDA Guidelines.
“In fact, the agency has hardly created awareness on the existence of these Guidelines,” she said, “As far as I know, the only instance where NITDA has issued a public statement on data protection in recent times was to warn Nigerians about the EU GDPR and its possible effects on Nigerian businesses. NITDA was more keen on encouraging compliance with the EU GDPR than it was for its own data protection guideline.”
NITDA did not respond to questions from BusinessDay on the guideline as well as the status of the Amazon S3 leak as at time of publishing this article.
The earliest known reference to data privacy in Nigeria is found in the Section 37 of the 1999 Constitution. The section makes provision for protection of rights of citizens to their privacy and the privacy of their homes, correspondence, telephone conversations and telegraphic communication.
But the NITDA Guideline of 2013 is the closest the country has ever come to having a data protection law. Which begs the question, why is it not in force yet?
Adedeji Olowe, CEO of Trium Limited and an expert on Open Banking said the Amazon S3 leak underscores how pervasive the security lapses have become for technology companies worldwide and warns that if nothing is done, a Nigeria bank, fintech or government agency could be the next victim.”
