0

A data security report by the Website Planet research team has revealed a data breach affecting the Plateau State Contributory Health Care Management Agency (PLASCHEMA).

According to the findings sent to IT Edge News, personal data of thousands of citizens have been exposed in breach of Nigeria Data Protection Regulation (NDPR) 2019. The country’s data protection ombudsman, Nigeria Data Protection Bureau (NDPB), has already been alerted.

“Our security team recently discovered a data breach exposing PLASCHEMA, a Nigerian governmental healthcare agency. They had an open and unprotected Amazon bucket, which contained over 75,000 files, exposing more than 37,000 people. It exposed identity documents revealing applicants’ personal information such as full names, dates of birth, physical address, and much more,” the report by Website Planet noted.

PLASCHEMA was established over two years ago by the Plateau State government to reduce the cost of medication for all citizens residing within Plateau state.

According to the report, the Nigerian healthcare agency’s unsecured buckets exposed thousands of applicants’ personal data; about 45GB of data totaling over 75,000 files.

Company name and location: PLASCHEMA (Plateau State Contributory Health Care Management Agency), based in Nigeria
Size (in GB and amount of records/files): Around 45GB, totaling over 75,000 files
Data Storage Format: AWS S3 bucket
Countries Affected: Nigeria – citizens of Plateau state

The security team noted: PLASCHEMA “had an open and unprotected Amazon bucket, which contained over 75,000 files, exposing more than 37,000 people. It exposed identity documents revealing applicants’ personal information such as full names, dates of birth, physical address, and much more.”

Website Planet researchers discovered PLASCHEMA’s buckets, left in open form, without any encryption or password protection, as part of our extensive web mapping project. We use web scanners to identify unsecured data stores on the internet. We responsibly analyze, secure, and report these data incidents to raise awareness about the dangers of cybercrime and help affected companies and users.

Status of the Data Exposure

We found PLASCHEMA’s open bucket on April 3rd, 2022.

  • April 5th, 2022: We messaged the Nigerian government.
  • April 11th, 2022: We sent follow-up messages to previous contacts and contacted the Nigerian CERT.
  • April 14th, 2022: We sent more follow-up messages to previous contacts and the Nigerian CERT.
  • April 15th, 2022: We messaged AWS regarding the breach.
  • April 25th, 2022: We contacted the Nigerian CERT via Twitter.
  • April 26th, 2022 – May 2nd, 2022: We sent several follow-up messages to different Nigerian CERT addresses and received two auto-replies.
  • May 10th, 2022: We contacted the Nigerian CERT via Twitter again and they responded, asking for more information.
  • May 11th, 2022: We responsibly disclosed the incident to the Nigerian CERT. We also emailed Nigeria’s Data Protection Officer.
  • May 12th, 2022: The Nigerian CERT responded to our message, saying “We will ensure the incident is resolved as soon as possible.”
  • May 25th, 2022: We contacted the Nigerian CERT again since the buckets were still unsecured.
  • May 30th, 2022: The Nigerian CERT responded to our message, saying they suffered a setback while trying to contact PLASCHEMA, but that they had sent a hardcopy letter to the organization.
  • Jun 09th, 2022: Contacted the Nigerian CERT again, since the buckets were unsecured. They replied that same day, telling us that they contacted the organization hoping that they would secure the buckets.

Customer Data Exposed

  • Applicants’ PII: Identity documents containing full names, dates of birth, height, sex, occupation, blood group, address, state, town/village, local government area, place of birth, parents’ full names, registration details, etc.
  • Applicant photos: Identification photos of citizens applying to PLASCHEMA’s program.

Protecting Your Data

Affected Plateau State citizens should monitor social media and other popular sites and services for fake accounts in their names.

Read more details of the report  here: https://www.websiteplanet.com/blog/plaschema-breach-report/

  • IT Edge News is not publishing images and other documents of the applicants already exposed online in compliance with the NDPR. 

More in News

You may also like