The Namibian reported in the edition of 11 June 2018 (https://www.namibian.com.na/68242/read/SSC-leak-exposes-personal-info-online), about the data leak noticed last week on the website of the Social Security Commission (SSC). The reporters that took up the story were able to alert the appropriate staff and the data leak was closed on Sunday, 10 June 2018.
As the leak has now been closed, the following is an overview of the occurrence and what should have been done to prevent such events in other organisations.
The Director of the Namibia Consumer Protection Group (NCPG), Milton LOUW, is an IT expert and owner of Aardvark Investments, a company that often undertakes tracing for insurance companies wishing to trace people who are due monies but their contact details are no longer current.
On Thursday 7 June 2018, a routine search for “Box 1141, Oshakati” showed the following results on Google.
Clicking on this link opened up the following page.
Once in this directory, there are 1,885 files in this directory which consists of submission to the SSC. Some of these files include very personal information such as ID number, SSC Registration number, and even salaries of certain companies. . PLEASE note that the information is from around 2013- 2018 and it is personal information that should not be in the public domain.
In addition to files submitted to SSC by companies, there was also adirectory of files containing the signed performance Performane Agrrements of top managers for the period 2016/17.
Are my company files compromised?
PLEASE NOTE: All inquiries regarding the information of employees and employers should now be addressed to the Social Security Commission: Chariold.Auchab@ssc.org.na, Tel: +264 61 2807712.
What happened?The website was created with the default directory www.(company).na/files/downloads. In this directory were placed all the electronic forms that employers can use to submit their employee details.
Unfortunately, the webmaster also used this directory to download all the files submitted to the SSC. This directory for ovious reasons needs to be available to the public, search engines, etc. and this did not have a prohibitive .htaccess file.
How to prevent this?The public face of the company / organisation through its online presence should always be kept seperate from information received from its clients via the internet. This means that any and all correspondence from customers should be automatically routed to a directory that is not part of the public domain.
ConclusionThis is the first, and certainly not the last data breach that the media will report on. Namibia has to develop its security and implement the Electronic Transactions, Data Protection, and Access to Information Acts.
NOTE: .htaccess is the default name for a file that is used to indicate who can or cannot access the contents of a specific file directory from the Internet or an intranet.