Press Release: Alleged Data Breach/Leak at Uganda Securities Exchange

Kampala 18th July 2022; Today we notified the Personal Data Protection Office in Uganda about the alleged data breach against the Uganda Securities Exchange (the “Exchange”), an entity responsible for trade in Stock allegedly leading to the exposure of personal data and sensitive information to the volume of 32 GB and requested for an expeditious investigation.

On 13th June 2022, a tweet from an ICT security researcher called “Anurag Sen” through his Twitter handle @hak1mlukha indicated that the servers of the Uganda Securities Exchange had been compromised, leading to the exposure of personal data and sensitive information equivalent to 32 GB.

The same story was run by Daily Monitor, a Uganda’s leading daily newspaper highlighting the alleged data compromise affecting the Users of the Exchange’s Easy portal to wit, MTN and CIPLA both listed on the Exchange.

However, on 15th June 2022, the Exchange through a press release refuted the reports indicating that it is rather the logging servers of an unnamed third-party partner that had been compromised.

On top of the allegations of a data breach, we realized that the exchange does not have an easily accessible privacy policy contrary to the principle of transparency.

In 2019, Uganda enacted a Data Protection and Privacy law to protect the privacy of individuals and their personal data with the office of the Personal Data Protection as the compliance overseer.

“The importance of data protection and integrity in a digitized and globally interconnected world is enormous and cannot be overemphasized; it protects user data including sensitive information from fraudulent activities, like cyber-stalking, harassment, phishing, and identity theft. Therefore, Data collectors, processors, and controllers have a statutory obligation towards the integrity and safety of such data from scrupulous access and unlawful disclosure” Says Dorothy Mukasa, Unwanted Witness Executive Director.

We, therefore, asked the office to thoroughly investigate the alleged data breach within 21 (Twenty One) days as stipulated by the Act and make such orders as envisaged under the laws regulating Data Protection and Privacy In Uganda in order to protect and preserve the integrity and trust in the financial system including the capital market in Uganda.

We urge all other actors in different sectors to observe their statutory obligations under the law regulating Data protection and privacy.

About The Unwanted Witness

The Unwanted Witness, Uganda is a civil society organization (CSO) that was established to respond to the gap in effective communication using various online expression platforms