By 
More than 200 Nigerian organisations straddling financial companies including the major banks; ICT and telecom firms as well as publicly owned entities recorded alarming levels of data breach in the first quarter of 2023.
This is to go findings by IT Edge News.Africa based on claims by Data Protection Compliance Organizations (DPCOs), and industry insights including detailed study of investigative endeavours by the privacy Ombudsman: Nigeria Data Protection Bureau (NDPB).
RELATED: Banks, telcos among 110 companies under investigation by NDPB for data breaches
Going by claims by the DPCOs and industry insights, while some of the risk levels for data breach could be regarded as Low Risk meaning the infraction is unlikely to have ‘an impact on individuals, or the impact is likely to be minimal,’ breaches by many of the affected organisations could be regarded as Medium Risk implying that the ‘breach may have an impact on individuals, but the impact is unlikely to be substantial.’
However, majority of the infractions could be regarded as High Risk to mean that the breaches have a considerable impact on affected individuals and undermine the provision of the Nigeria Data Protection Regulation (NDPR) substantially.
Some DPCOs think the 200 estimate is a conservative figure as the number of affected companies could be far higher.
To quote Muhiz B. Adisa, DPCOs are licensed by the NDPB to carry out “training, auditing, consulting, and rendering services and products for compliance with the NDPR or any foreign data protection law or regulation having an effect in Nigeria.” There are more than 120 licensed DPCOs in Nigeria.
Organisations under obligation to report breaches
Data breaches are not a rarity in the industry. But the law says such breaches must be reported to the authorities and detailed information on steps initiated to remedy the situation should be provided to allow the privacy watchdog conduct its own investigations.
But most companies are not aware of this legal obligation or “often, deliberately shy away from sharing details with the authorities fearing possible sanction, ‘brand backlash’, and even possible legal actions by victims of such breaches,” the CEO of one DPCO said in Lagos this week.
Earlier in February, the NDPB announced it was investigating about 110 companies in Nigeria over allegations of data breach. National Commissioner/CEO of the NDPB, Dr. Vincent Olatunji, said the companies include banks, telecom firms, gaming companies, and online lending companies.
Stressing that the data vulnerabilities in these sectors are on the rise, he assured that the bureau was working to ensure that operators remain on the alert and conform to the NDPR.
Data breaches now routine global blight
Data breaches have become routine blight globally and across sectors affecting both big and small companies. The list include: China Software Developer Network (2011); Yahoo! (2013-2016); MySpace (2013); JPMorgan Chase (2014); Home Depot (2014); Central Intelligence Agency (2017); First American Financial Corp (2019); CheckPeople (2020); Microsoft (2021); Facebook (2021); and LinkedIn (2021).
In fact, high profile data breaches have grown in number and dimension becoming equally alarming whether in the healthcare, finance, retail, government, and manufacturing, and energy, sectors. They include those of Bidencash (2022); Optus (2022); Whatsapp (2022); Medibank (2022); Uber & Rockstar (2022); Twitter (2022); Nelnet Servicing (2022); T-Mobile (2023); Yum Brands – KFC, Taco Bell, & Pizza Hut- (2023) ChatGPT (2023); Chick-fil-A (2023); Activision (2023) Google Fi (2023); MailChimp (2023); and Norton Life Lock (2023).
In Nigeria, the growth of enterprise-wide cloud adoption has also meant increased security breaches from data attacks according to a recent IDC survey. A 2020 FBI (US Federal Bureau of investigation) ranking for cyberattacks adjudged Nigeria as 16th among over 100 countries most affected by cybercrimes meaning that data hackers appear to be having a field day in Africa’s most populous country of over 200 million people where Internet access with the digital economy has recorded exponential growth
Worrisome data vulnerability points
The vulnerability points from both “technical and personnel point of view are worrisome. The NDPB need to apply a stricter approach to getting these establishments particularly banks and telcos to up their game as it concerns data of individuals,” said another DPCO.
The DPCOs advised that organisations handling high volume of individuals’ data need to invest more in data security infrastructures and training, retraining of their personnel.
In January this year, the NDPB opened an investigation into allegations of data breach by two Nigeria Banks, namely GTBank and Zenith Bank. In June 2022, the watchdog announced it had commenced investigations into reports of breach of data privacy involving two major data controllers in Nigeria: Wema Bank PLC and KC Gaming Networks (Bet Naija).
Also in 2022, a data security report by the Website Planet research team revealed a data breach affecting the Plateau State Contributory Health Care Management Agency (PLASCHEMA).
The data breach involved over 75,000 files, exposing more than 37,000 people. It exposed identity documents revealing applicants’ personal information such as full names, dates of birth, physical address, and much more.”
COVER IMAGE: Los Angeles County – Consumer & Business
