Data breach by Plateau health agency - PLASCHEMA - exposes personal data of thousands of citizens

A data security report by the Website Planet research team has revealed a data breach affecting the Plateau State Contributory Health Care Management Agency (PLASCHEMA).

According to the findings sent to IT Edge News, personal data of thousands of citizens have been exposed in breach of Nigeria Data Protection Regulation (NDPR) 2019. The country’s data protection ombudsman, Nigeria Data Protection Bureau (NDPB), has already been alerted.

“Our security team recently discovered a data breach exposing PLASCHEMA, a Nigerian governmental healthcare agency. They had an open and unprotected Amazon bucket, which contained over 75,000 files, exposing more than 37,000 people. It exposed identity documents revealing applicants’ personal information such as full names, dates of birth, physical address, and much more,” the report by Website Planet noted.

PLASCHEMA was established over two years ago by the Plateau State government to reduce the cost of medication for all citizens residing within Plateau state.

According to the report, the Nigerian healthcare agency’s unsecured buckets exposed thousands of applicants’ personal data; about 45GB of data totaling over 75,000 files.

Company name and location:	PLASCHEMA (Plateau State Contributory Health Care Management Agency), based in Nigeria
Size (in GB and amount of records/files):	Around 45GB, totaling over 75,000 files
Data Storage Format:	AWS S3 bucket
Countries Affected:	Nigeria – citizens of Plateau state

The security team noted: PLASCHEMA “had an open and unprotected Amazon bucket, which contained over 75,000 files, exposing more than 37,000 people. It exposed identity documents revealing applicants’ personal information such as full names, dates of birth, physical address, and much more.”

Website Planet researchers discovered PLASCHEMA’s buckets, left in open form, without any encryption or password protection, as part of our extensive web mapping project. We use web scanners to identify unsecured data stores on the internet. We responsibly analyze, secure, and report these data incidents to raise awareness about the dangers of cybercrime and help affected companies and users.

Status of the Data Exposure

We found PLASCHEMA’s open bucket on April 3rd, 2022.

April 5th, 2022: We messaged the Nigerian government.
April 11th, 2022: We sent follow-up messages to previous contacts and contacted the Nigerian CERT.
April 14th, 2022: We sent more follow-up messages to previous contacts and the Nigerian CERT.
April 15th, 2022: We messaged AWS regarding the breach.
April 25th, 2022: We contacted the Nigerian CERT via Twitter.
April 26th, 2022 – May 2nd, 2022: We sent several follow-up messages to different Nigerian CERT addresses and received two auto-replies.
May 10th, 2022: We contacted the Nigerian CERT via Twitter again and they responded, asking for more information.
May 11th, 2022: We responsibly disclosed the incident to the Nigerian CERT. We also emailed Nigeria’s Data Protection Officer.
May 12th, 2022: The Nigerian CERT responded to our message, saying “We will ensure the incident is resolved as soon as possible.”
May 25th, 2022: We contacted the Nigerian CERT again since the buckets were still unsecured.
May 30th, 2022: The Nigerian CERT responded to our message, saying they suffered a setback while trying to contact PLASCHEMA, but that they had sent a hardcopy letter to the organization.
Jun 09th, 2022: Contacted the Nigerian CERT again, since the buckets were unsecured. They replied that same day, telling us that they contacted the organization hoping that they would secure the buckets.

Customer Data Exposed

Applicants’ PII: Identity documents containing full names, dates of birth, height, sex, occupation, blood group, address, state, town/village, local government area, place of birth, parents’ full names, registration details, etc.
Applicant photos: Identification photos of citizens applying to PLASCHEMA’s program.

Protecting Your Data

Affected Plateau State citizens should monitor social media and other popular sites and services for fake accounts in their names.

Read more details of the report here: https://www.websiteplanet.com/blog/plaschema-breach-report/

IT Edge News is not publishing images and other documents of the applicants already exposed online in compliance with the NDPR.

Data breach by Plateau health agency – PLASCHEMA – exposes personal data of thousands of citizens

Status of the Data Exposure

Customer Data Exposed

Protecting Your Data

More in News

Isospec secures investment for biomarkers breakthrough tech

Nigerian student pioneers agritech solution to food insecurity

SoftTalk Messenger revolutionizes communication with enhanced privacy features

NASENI and NIPSS forge partnership to boost digital economy and job creation

Impact of AI, hybrid work top HR challenges in 2024

Why E-commerce is Thriving in South Africa

Nigeria Startup Portal opens for labelling

HID and partners add mobile credentials in Google Wallet™ for Android users

Technology Picks

TECH TIPS: Taming Group Chats with WhatsApp’s ‘Mute’ Feature

Classic account takeover via the direct deposit change

FiberOne Broadband Exhibits at the Techpoint Lagos StartUp Expo in Lagos

Agu Collins Agu: Unity Board Pro Bare PCB has finally arrived!

Editorial

The Case for Globacom: Dangers of NCC’s ‘Pre-Disconnection Notice’ on indigenous telecoms enterprises

Nigeria Data Protection Act is milestone progress at balancing privacy and innovation

Upcoming Events

Explore the intersection of education and innovation in Kigali from 29-31 May

Unlocking Africa’s Potential: A Seminar Shaping the Future of Finance and Entrepreneurship

Attend the Step Conference 2024 in Dubai Internet City

Status of the Data Exposure

Customer Data Exposed

Protecting Your Data

More in News

You may also like

Technology Picks

Editorial

Upcoming Events

Let's Delight You with Our Beautifully Crafted Newsletter!