Govt, NIRA under fire over ‘data breaches’

Internal Affairs Minister Maj Gen (Rtd) Kahinda Otafiire (2nd right) appears before Parliament’s Defence Committee on September 1. The committee has summoned Gen Otafiire and Nira top brass to update it on the status of the National Security Information Systems. PHOTOS/DAVID LUBOWA

What you need to know:

  • Experts warn that the absence of either a recovery or backup centre for the country’s data on National ID cards, could cost the country dear.

The soft underbelly of the national register has come under renewed focus, with experts warning that the absence of either a recovery or backup centre could cost the country dear.

The German firm that erected the National Security Information Systems (NSIS) whose infrastructure is used to make national identity (ID) cards revealed this past week that it wasn’t tasked with putting up a backup system. 

Mühlbauer High Tech International’s vice president Matthias Karl Kohler told the House Committee on Defence and Internal Affairs that when the company signed up with the government in 2010, setting up a backup system “was not part of our contract.” He hastened to add that “data is very dangerous … once lost, it is not recovered.”

Ms Rosemary Nyakikongoro, the chairperson of the House committee, described the state of affairs as “very dangerous”, adding that Ugandans have every right to feel short-changed given all the “information and money that has gone into the exercise” of putting up an NSIS.

“It is sad that all the information that we have collected for the last 10 years can be lost in case of any outbreak,” she said referring to the revelation by Mr Kohler that “a fire or terror attack or floods” can inflict irreparable damage on Uganda’s NSIS.

It’s against this backdrop that Ms Nyakikongoro summoned the top brass at the National Identification Registration Authority (Nira), its supervisor—the Internal Affairs ministry—as well as Gen Kahinda Otafiire—the line minister—to update the committee on the NSIS’s status quo.

Airtel hack
Besides the clear and present danger of data loss, the vulnerabilities of Uganda’s NSIS were recently laid bare during a hack that left Airtel Mobile Commerce Uganda Limited (AMCUL) staring at a Shs7.6 billion black hole. This newspaper reportedly exclusively that a licensed betting firm was used as the gateway to the hack. 

Our sources revealed that officials from the betting firm requested to meet detectives from the Criminal Investigations Directorate (CID) next week. The officials were summoned to the CID headquarters in Kibuli, Kampala, and were supposed to have met detectives this past workweek. 

Sunday Monitor, however, understands that one of the leads detectives are working with is the masterminds of the hack used fake ID cards to acquire SIM cards that were used to access the betting firm’s digital system. This eventually allowed them to access AMCUL’s systems without leaving behind a paper trail.

Nira response
Nira has found itself dragged into the mess on account of the black hats using fake identity documents. When contacted about the vulnerabilities of the NSIS, Nira officials were terse with details. They insisted that they will provide concrete details to the House committee.

“If they are calling them, then why don’t you wait for their response?” Nira’s deputy spokesperson Michael Muganga told Sunday Monitor, adding, “So you will be informed of the right point of view. If she (the chairperson of committee) invited the Nira officials, then wait for the Nira officials to give a response. I am sure it will not be far.”

Officials from Muhlbauer High Tech International led by the firm’s vice president, Mr Matthias Karl Kohler (left), appear before Parliament’s Defence committee on November 22, 2022. PHOTO/DAVID LUBOWA 

Mr John Toa, the personal assistant to the Nira executive director, also indicated that a formal response would be furnished to Parliament.

“We shall respond to that in the proceedings or summons they said they are going to summon [us], so we shall offer the response once we get to that. So I will not pre-empt that,” Mr Toa said.

About the AMCUL hack, Nira said it complies “with the provisions of Data Protection Act to protect that data.” It added that it keeps “that data private and don’t share it with anyone unless you get the consent of the owner of the data.”

Nira also told Sunday Monitor that it has “a full unit of security that is charged with the responsibility of protecting that data against intrusion by third parties.” It proceeded to note that the data “is securely protected and encrypted from any kind of attack of third parties.”

New national IDs
Already, the government has on multiple occasions informed the House that plans are underway to roll-out another exercise for Ugandans to renew and or acquire new national ID cards whose validity runs out next year, particularly for persons who attained them in 2014.

In May, Gen David Muhoozi—the junior Internal Affairs minister—told the House that government will require all persons (both renewal and first-time applicants) to, among others, provide their DNA details to the government to acquire new IDs.

“Expected outcomes of the exercise shall include…substitution of the (expiring) National ID cards upon expiry, and [their] upgrading … to a smart card [Electronic ID or EID] and creation of personal digital identity, upgrade of the verification system and integration of the Iris recognition biometric technology and DNA in the Nira system,” Gen Muhoozi said then.

In August, Gen Otafire told the Defence committee that the government had resolved that all persons seeking to expressly attain new ID cards will have to part with Shs50,000. He also indicated that persons seeking to replace lost IDs or correct errors on their cards will have to pay Shs200,000.

Mr Toa was unclear about when exactly the renewal process will take centre-stage. He, however, revealed that the government hopes that applicants for express ID cards will only face a three-day wait.

Dangers of backup 

In a phone interview with Sunday Monitor, Mr Yona Wanjala—the executive director at the Defenders Protection Initiative—express his fears that the picture emerging around Uganda’s NSIS will stain her national image. He reasoned that this “would mean we don’t have the capacity to manage and retain information as a country. This also implies that the security of Uganda as a country is at stake.”

It also means, he added, that Nira is falling short of its obligations as envisaged in the Data Protection and Privacy Act “because every institution that collects national data must comply with the Data Protection and Privacy Act.”

Consequently, this could trigger off a string of court battles because “any Ugandan can wake up and sue Nira since there is failure to comply with this law.”

Failure to have a backup system for data collected from Uganda would also stain the national image of the country, including frustrating security processes such as investigations both locally and internationally.

“Them lacking data, in case it is lost due to absence of a backup system, means that they are going to make investigations not only at national level but also at international level quite difficult in verifying and assessing data in that line,” Mr Wanjala said.

Mr Wanjala says “the quick fixes would fast of all include conducting a data management audit in the institution,” to establish the “basic mechanisms that are available for data protection and data back-up.”
Findings from the audit would then be weighed against the amount of data that has to be backed-up.

“So basing on that, they [government] can go ahead and purchase or out a service provider to give support in setting up a back-up.”

In the course of doing the above, the government will then embark on “a process of establishing a back-up system…that would be headed by experts.”

Welcome!

You're all set to enjoy unlimited Prime content.