What to Learn from Nigeria’s Yellow Card Leaked Data

On 1 April 2019, the Federal Government under the Ministry of Health phased replaced the old ‘Yellow Card’ with a new electronic card which they issue to people who have been vaccinated. But on August 31, 2019 thousands of data were leaked! What can the Government learn from this?

The yellow card is an important document which is given to a person after getting a vaccine against yellow fever disease. In its stead, a new electronic yellow card would be issued for people who have been vaccinated.

The new e-Yellow card is also expected to stop the racketeering in fake yellow cards which are issued at point of airports and borders. The yellow card is also meant to forestall the problems of payment to collect the card without getting the vaccination.

The World Health Organisation (WHO) recommends vaccination against yellow fever for all international travelers, nine months of age and older before they come to Nigeria as there is evidence of persistent or periodic yellow fever virus transmission there.

The New System

The new implementation begun when the Ministry of Health said that all registration for getting the Yellow Card would be exclusively online. While this was a great movement in the light of digital sustainability and ease, the Ministry failed to see the critical aspect of securing its citizens.

Here’s an overview on how to get the card using the new system:

The new yellow fever card costs N2000 and will need to be paid online via credit or Debit Card Payment.

STEP BY STEP

• STEP 1:Visit http://www.yellowcardnigeria.com
• STEP 2: click on Register
• STEP 3: Fill in your personal information and click on submit button.
• STEP 4: Click on Payment button, generate your Remita Retrival Receipt (RRR) code and pay the sum of N2,000 online (or go to the bank).
• STEP 5: Take the payment receipt along with your international passport to any Port Health Services Office to get vaccinated and obtain the yellow card.

The Looming Problem

According to Business Day, “a visit to the website on Saturday showed that when a user input their passport number on the ‘Check card Number’ page, rather than take the user to the login page, it opens directly to the data page where the user’s information has been stored. When you increment the number one by one, you are taking to different private information of other users on the website.”

While the Ministry has not yet responded to situation which could (or has) potentially seen millions of private information belonging to travelers fall into the wrong hands, we take a look at the implications of this event.

Implications Observed

1. Loss or compromise of Travelers data. In this infamous Yellow Card data breach, which most likely occurred between late August 2019- and July, personally identifiable information belonging to around least 200,000 Nigerians is believed to have been accessed by cyber-thieves. The scale and consequences of the Yellow Card security faux pas is enough to scare any individual into dealing with sensitive information correctly.
2. Loss of money. The majority of cyber attacks concentrate on the insides of an agency’s wallet. It is forecast that by 2021, cyber-crime damages will cost the world $6 billion.While that is a fact that has begun happening, the current breach will likely cost the Ministry of Health huge junks in fixing.
3. Hurt of Reputation. Most downturns for firms and organizations are usually caused by data breaches and cyber attacks that could have been prevented. According to 90% of CEOs, striving to rebuild commercial trust among stakeholders after a breach is one of the most difficult tasks to achieve for any company?—?regardless of their revenue. Now, with this qualm that has blown to the ways of the Ministry of Health’s Yellow Card website, you can be sure that no Nigerian would feel safe to put their Debit Cards details on their website.
4. Risk of Physical Data loss. Over 70% of businesses involved in a major incident either do not reopen or fail within three years of an incident occurring. Remembering to keep the infrastructure of the Yellow Card website safe at all times to avoid loss of data is something that should have been the mind of the Nigerian authorities, unfortunately we know how the story turned out.

What the Nigerian Government should Learn!

With technology being fundamental to many businesses, it should hardly be seen as a surprise that cyber attacks pose significant threats. The above worst-case scenarios are to encourage businesses, and active participants in the digital economy, to implement protective measures that allow them to comply with data protection regulations. Although there is no “silver bullet” that can protect your business from cyber-crime, putting in place adequate security measures is essential for stability and continuity.

According to Glyn Moody of ARS Technica?—?Extremely personal information will be leaked with terrible consequences for some people. The only question is when. This is an essential thought, the Government should plan for the future, information accessed by hackers now could be used to harm the profile of well meaning innocent individuals in years times considering that hackers will take time to analyze the information gotten from their raids (breach success).

Data breaches can expose personal information, financial information such as credit card numbers from individuals and corporate secrets, their software codes, customers and even intellectual property.

Once the attack has been stopped and eliminated, the next step is to investigate it and assess the damage it has caused to the organization. Knowing how the attack happened is needed to prevent future attackers from the same tactics and succeeding. Also, it’s important to investigate the affected systems so that any malware possibly left by the attacker can be detected.

During the assessment, information that should be dug up includes:

• What was the attack vector?
• Was the attack based on social-engineering tactics or through user accounts?
• How sensitive is the breached data?
• What is the type of that data affected?
• Does the data contain high-risk information?
• Was the data encrypted and can it be restored (did the company backup their data)?

After taking the first steps in recovering from a data breach, a security audit is needed to assess the organization’s current security systems and to help with preparation for future recovery plans.

After an attack and taking all the appropriate steps for recovery, the importance of preparing for the next attack can’t be stressed enough. After being attacked once, the possibilities that you will be attacked again are substantial; it’s possible that the same attacker or group of attackers will try it again since they’ve already succeeded, or other groups will use the same or similar methods.

The security audit and internal investigation are valuable. The information uncovered will help guide you toward your future recovery plan and any vulnerabilities that may be lurking. The new recovery plan may include new privacy policies, security training for all employees, enforcing agreed policies with third-party businesses and more. But one thing every organization needs to do is work on educating their employees in some of the finer points of cyber-security since, as we mentioned, human error is one of the most frequent reasons a data breach occurs.

Featured image – Nigerian Yellow Card (Sahara Reporters)