Data breach puts hundreds of USE investor details at risk

Whereas USE has conceded that there was a data breach, it has indicated that is it yet to understand which investor data was exposed. PHOTO | FILE

What you need to know:

  • Details indicate that unauthorised persons were for weeks, or even months, able to access full names of investors, emails, phone numbers, passwords, usernames, plaintext credentials and access tokens, addresses, details of foreign persons and companies, bank details such as account and ID numbers of users.

On June 5, Daily Monitor was alerted to a data breach on the Uganda Securities Exchange (USE) server hosted in Germany. 

The breach, this newspaper understands, was brought to the attention of USE by a researcher through Twitter and other government agencies. 

However, it continued for days before it was secured on Monday.

A Twitter account under the names of Anurag Sen on Monday, days into our investigations, published that “personal details of hundreds of thousands of Uganda citizens had leaked due to lapses of [sic] Uganda Securities Exchange”.  

In details shared with the Monitor, the whistleblower, whose details will remain anonymous, indicated that details of personal investor data had been leaked through , which we have since established was disabled. 

Attempts to access the website using the link yesterday were futile despite the fact that we had casually accessed investor details through the same for over a week. 

“I work as cyber security researcher, recently I discovered an unprotected server leaking sensitive information related with Uganda Securities Exchange [Easy Portal] including thousands of citizens from Uganda,” the whistleblower wrote in an email, before sharing screenshots investor information.    

The breach, we understand, had been brought to the attention of the Ministry of ICT and Uganda Computer Emergency Response Team under Uganda Communication Commission that receives, reviews, and responds to computer security incidents and activities. However, for days nothing had been done. 

The breach was corroborated by our own investigation, in which we were able to at least access details of more than 700 investor data through Easy Portal, a feature on the USE website. 

Independent analysis of obtained data indicated that investors under Cipla, MTN and Umeme within and outside the country were the most affected. 

Details that we were able to obtain indicate that the leaked data weighed 32 gigabits+, all belonging to USE and managed by Contabo GmbH in Nuremberg, Bavaria in Germany. Daily Monitor’s independent verification confirmed the server is hosted in Nuremberg, Bavaria in Germany and hosts the USE Security Central Depository (SCD), which is an electronic setup that holds investor details.  

The SCD is a login portal for investors and other trading entities, from which they check trading activities and monitor other activities. 

The online gateway - Easy Portal - was launched in March, 2017 to allow investors track their portfolio, buy shares and access real time trading information. 

At the launch, Mr Paul Bwiso, the USE chief executive officer, described the portal as “an option for investors to take charge of their portfolios by personally monitoring their accounts”. 

The details leaked, according to our investigation, include full names of investors, email addresses, phone numbers, passwords, usernames, plaintext credentials and access tokens. 

Others are addresses, details of foreign citizens and companies, bank details, including accounts  and ID numbers. 

According to details from various data samples shared by the whistleblower, there were other ports running on the server, which open a link to Bank of Baroda operating in Uganda and registered under USE. 

Last Friday, the Monitor had approached officials at USE with samples of the leaked data but indicated they were not aware of any breach.  

However, whereas USE including Mr Bwiso had since last week insisted that their servers were secure, a USE statement shared yesterday indicated that an unspecified amount of investor data had been exposed by a third party partner. 

“We checked our servers and they were not breached. So, we don’t know what you are referring to. We checked our logs and there are no genuine external threats,” Mr Bwiso said, warning the Monitor against publishing the story because it had serious legal implications. 

“I have my legal team on standby to discuss with you the implications of writing this story,” he said. 

In the statement yesterday, USE said that the Exchange [USE] wished to disclose that it had established that a third-party partner’s logging server, which receives specific information from the Easy Portal server, was exposed to external access, thereby compromising the privacy of the data received by that particular external server. 

However, USE further noted “access to this server has since been appropriately secured.”

USE was yet to review details of the alleged leaked data and, therefore, could not confirm at this point in time, the type or amount of data that had been accessed.

“We are, however, working closely with our technology partners and third-party service providers to conduct a thorough review of the incident in order to establish these details and shall advise the public of the same or any new relevant information that may be established from the on-going investigation,” USE noted. 

Server secured       

By Monday, we had established that the server had been secured, which we confirmed through an independent verification with information technology experts. 

The leaked data, a cyber expert told the Monitor had various risks such as scamming and personal threats because there are lots of personal details. 

Additionally, a cybersecurity expert who spoke on  condition of anonymity, said the risk of such leaked information ending up in the dark web was high.

The data, the cybersecurity expert noted, can be used in marketing, attacks on high net worth individuals, and social engineering.