USE investor data was exposed to hackers, investigation finds

The investigation faults USE and Soft Edge for failing to protect investor data from third-party access. PHOTO / FILE

By Daily Monitor

An investigations by the Personal Data Protection Office, a government unit established as an independent office under the National Information Technology Authority, Uganda, has indicated that unauthorised people accessed personal data of thousands of investors at the Uganda Securities Exchange (USE) for at least 12 days in June last year. 

The investigation, which pins USE and its technology partner Soft Edge for negligence in handling personal data of clients leading to exposure to unauthorised third parties, followed an exposé, in which this publication had published a story after it was alerted to a possible data breach on USE servers in the US.  

Ms Stella Alibateese, the Personal Data Protection Office director, led the year-long investigation.

“After reviewing the documents shared and interviewing representatives from USE and Soft Edge, it was determined that the breach occurred on the infrastructure of Soft Edge due to an incorrectly configured firewall … this created an open port, from which personal data was exposed for a period of about 12 days,” the report, titled security data breach at USE, reads in part, noting that the data which was accessed included National Identification Numbers (NINs), names, dates of birth, emails, physical addresses and telephone numbers of investors. 

However, an investigation by this reporter had earlier indicated that other personal details such as passwords, usernames, plaintext credentials, access tokens and bank details had also been exposed to unauthorised third party access for weeks.  

The breach, Ms Alibateese indicated, was deserving of prosecution on the part of USE, Soft Edge and their accountable representatives, noting that the two entities had “failed to notice the continuous exposure of personal data for 12 days until it was publicised”. 

Details of the investigation indicated that the Personal Data Protection Office had first received a notification of the breach through a June 18, 2022 complaint by Unwanted Witness, a civil society organisation, two days after had highlighted the same in a June 16, 2022 story. 

The breach had resulted from an incorrectly configured firewall on the audit logging server created to track all actions during an upgrade of USE’s Know Your Customer system. 

The investigation also found that USE had failed to fulfill its duty as a data collector when it failed to ensure that Soft Edge complied with its policies to protect individuals’ personal data.

A USE official who spoke to Monitor over the weekend, said the USE chief executive Paul Bwiso, could only make a substantive statement through a direct meeting with this reporter on the likely actions highlighted by the investigation. 

Mr Keith Kalyegira, the chief executive officer at Capital Markets Authority (CMA), the industry regulator, declined to comment on the matter, saying he was out of the country, and instead referred Monitor to Mr Edgar Mutebi, the CMA acting director supervision, whose phone numbers were out of reach by press time. 

However, Mr Dickson Ssembuya, the CMA director of research and market development, said they will review the report recommendations and act appropriately.

This publication could not readily obtain a comment from Soft Edge. The report also noted that the investigation had found that Soft Edge was not registered with the Personal Data Protection Office as required by the Privacy Act and its agreement with USE was inadequate to secure the integrity and confidentiality of personal data.

USE is expected to implement any form of non-compliance within three months from the date of publication of the report, which also highlights that under Section 38 of the Privacy Act that any corporation and every officer of the corporation who knowingly and willfully authorises or permits access to personal data under its custody, commits an offence. 

Extent of the breach

An investigation by last year had been prompted by an alert from a Twitter account under the names of Anurag Sen, which had published that: “Personal details of hundreds of thousands of Ugandan citizens had leaked due to lapses of [sic] USE”. The details shared by the whistle-blower indicated personal data had leaked through 

An analysis of the breach later revealed that more than 700 investor personal data had been accessed with Cipla, MTN and Umeme being the most affected. Mr Joram Ongura, an industry brokerage expert, said the data breach is the first of its kind in the market and, therefore, creates mistrust, noting that the underlying trust is the confidentiality clause between brokers and clients and once the trust is broken, it might lead to lesser interest in certain markets and investors being penalised in their respective markets. 

“The concern would be for the institutional investors, who are required to adhere to a strict compliance environment, and definitely that means they will need to know if those issues have been addressed,” he said.