The news: Plateau State Contributory Health Care Management Agency (PLASCHEMA) – a Plateau state-led healthcare scheme has been accused of data breach which has exposed the personal data of citizens registered under it.
What you should know: According to reports by Website Planet, PLASCHEMA had 11 of its buckets (virtual containers that hold data) unprotected leaving innocent persons exposed to more cyber vulnerabilities because the information out there is a tool for cyber attackers.
The buckets contained over 75,000 files totaling 45GB of data. In the insecure website, the full names of patients, dates of birth, height, sex, occupation, blood group, address, state, town/village, local government area, place of birth, parents’ full names, registration details, etc. were accessible to anyone surfing the web.
How secure is PLACHEMA’s cyber data?
The big question would be, “how secure is PLACHEMA’s cyber data?” because to have their buckets to be discovered by Website Planet means, the next person surfing the web would also have easy access without any security walls that holds encryption or password protection.
Furthermore to the reports, Website Planet stated that it has gone back and forth with the Nigerian Computer Emergency Response Team (CERT) in order to secure the buckets before malicious actors could infiltrate the space. However, this issue was not dealt with prompt action; leaving a wide window period of 2 months with about 12 contacts with CERT from the date the first query was filed on April 5th, 2022.
The PLASCHEMA DG was unavailable after we made several attempts to reach him. However during a radio interview at KT FM Jos, Dr. Fabong Jemchang Yildam debunked claims in regards to the exposure of data to the general public and further assured beneficiaries that their data is safe, secure and protected from external invasion.
The DG stated that the agency was in partnership with Plateau State Information And Communication Development Agency (PICTDA) and that if there was any breach, they would have been aware.
“Cybersecurity is a continuous process and no matter how good you are, you need to be changing the patterns, timing, time out to secure yourself and if by any reason or public goal they discovered that, PICTDA should be informed or PLASCHEMA should be informed”, he said. “PICTDA is the block on which PLASCHEMA has built an information and communication network”.
He further added that although there have been certain periodic setbacks and malicious attempts from third-party entry points, there has always been rapid response to ensure the data of the are protected.Dr. Yildam also denied being contacted by Website Planet as against the timeline of April that was claimed by the website reviewers.
“They (Website Planet) claim that they had alerted us in April and there is absolutely not enough evidence to show that we were either communicated or alerted. Our parent’s body PICTDA is not aware”, he said.
We Asked An Expert
In a chat with Ruth Ki – a data security expert, she disclosed that data security isn’t a priority within the state. Ms. Ki added that consequences to this breach could earn PLASCHEMA a lawsuit from the National InformationTechnology Development Agency (NITDA).
“If further research confirms that such confidential information was stored on the internet in plain words without any form of data encryption, the implication will be that they have exposed their beneficiaries to the danger of being victimized by cyber attackers”, she said. “The consequences of this careless act from the Agency can earn them a lawsuit for a data breach of data confidentiality by the victims or NITDA (National Information Technology Development Agency) because such activity is illegal in Nigeria”.
Also, Ki explained the difference between a compromised data and one which is lost. The data security expert explained that a compromised data involves a third-party access and that which is lost, can easily be retrieved and stored back.
“The Data has been compromised and not lost because the agency still has access to the information while we may assume that third parties who are not supposed to access such confidential data have access to them. PLASCHEMA might not be able to retrieve the data back but they can secure their site to avoid further compromise”, she said.
The use of data encryption and password authentication are two major means of securing valuable online databases. The use of both prevents data breaches from reoccurring. Also, cybersecurity sensitisation is needed to be taught and known from personal to organisational levels. This offers an edge to cybercrimes.
“Having tech skills is not enough to stay healthy on the space. I know developers whose confidential datas were breached because of a simple password security knowledge they lacked. We need a lot of sensitization. From personal to organisational levels, we need to understand how the web works and best we can stay healthy on it”, Ki said.