Cybersecurity Scandal: Telecom leak exposes over 600 000 Namibians

Prominent victims of a cybersecurity breach that saw over 600 000 Telecom Namibia (TN) clients’ details exposed say they are now living in fear.

Agriculture, water and land reform minister Calle Schlettwein, whose personal information is among those leaked in a cybersecurity breach at TN, says it is concerning that people’s details have been made public.

Namibia Investment Promotion and Development Board chief executive Nangula Uaandja says cyber awareness in Namibia has been found lacking, and this should be a wake-up call for all institutions to take cybersecurity seriously.

“While this is definitely an unfortunate incident, hopefully it will not lead to serious consequences for those whose data was leaked; maybe it provides an opportunity to learn and grow.”

Uaandja says she hopes this is seen as an opportunity to invest in preventative measures so that the situation is not repeated.

Popular Democratic Movement (PDM) president McHenry Venaani, whose personal details were also leaked, says he has been asking questions about Namibia’s preparedness for cyberattacks but the government has always maintained that the country has capacity.

“One question that needs to be asked is ‘do service providers need to have so much information about individuals?’ We are becoming vulnerable to cyberattacks should service providers have so much information about us,” he says.

Activist Michael Amushelelo, whose details are also among those leaked last week, says he is consulting with his lawyers to file a possible lawsuit against TN after the company was hacked.

Amushelelo further called on TN chief executive Stanley Shanapinda to to resign.

Following the leak, fears are that sensitive data contained in people’s medical records from the Ministry of Health and Social Services may be compromised.

The same fears have also gripped other others following revelations that the Ministry of Home Affairs, Immigration, Safety and Security, which is responsible for civil registry, may also have been compromised.

Other key institutions compromised by the data leak include the Office of the President, airlines, regional and town councils, universities, mining companies, car dealerships and restaurants.

Health minister Kalumbi Shalunga appeals for patience and says the ministry is investigating the leak of health documents.

“This matter is still under investigation. We wish to provide concrete information, which is currently not available.”

A source at TN yesterday told The Namibian the hacking was detected towards the end of last month, but employees were told that it was a “small network glitch”.

“Our calling system is not functional. We are not using freeware,” the source said.

However, the chief accountant for safety and security at the home affairs ministry, Rachel Nghiilamo, says the ministry was not hacked but personal information and identity information was accessed through TN’s servers.

“Our ministry was not hacked. What was hacked was Telecom, and then they accessed our information from Telecom’s server.”

Nghiilamo says the number of people affected is not known, and if there was a breach in their network, it is yet to be revealed through their investigations.

The leak involved 626.3 gigabytes of confidential information.

FAR REACHING CONSEQUENCES

Amushelelo highlights that crucial information is now in the public domain.

“Our data is out in the public domain, and for that, someone must be held accountable.

When you apply for services, you share confidential info – bank statements – information that should only be privy to you and Telecom, but now it’s all out in the public domain.

This thing has far more reaching consequences than what we may think,” Amushelelo says.

“We hear that the health ministry is also under cyberattack, with people’s medical records exposed.

I am meeting with my lawyers this afternoon to draft a class-action against TN, or a potential lawsuit.

This is a breach in trust and should not be taken lightly.

“Telecom lied to us and pretended that everything is hunky-dory, while it is not.”

Information and communication technology deputy minister Modestus Amutse says the ministry is done with the data protection bill and the cybercrime prevention bill, which will help deal with cyber security.

He was speaking to Desert FM yesterday.

“What is remaining now is the next level, that is of the Cabinet Committee on Legislation,” Amutse said.

These bills seek to address the growing threat of cyberattacks and to protect citizens’ data.

He said once a ministry finalises its part in drawing up the bill with input from different stakeholders, the next step is to table it in the Cabinet.

“We were preparing the country to be able to respond in cases and actually to do surveillance on possible attacks and to do quick responses to those attempts, and we believe there is still room for improvement in that area,” Amutse said.

He further assured the nation that the government is looking into what happened and are busy interrogating their own systems and putting measures in place to ensure that remaining information is secure.

Meanwhile, Shanapinda says the organisation did not entertain negotiating with Hunters International, after they were given a deadline to pay an unknown ransom.

“What they did is they contacted us, indicating that they wanted to discuss what the ransom would be that needs to be paid. We did not engage with them after we got that message. We do not negotiate with cyber terrorists,” he says.

He says past experience has shown that ransom amounts are usually unaffordable and there is little point in discussing the matter with extortionists.

“Even if you did pay, there’s no guarantee that the information would not be released anyways,” Shanapinda said on Desert FM yesterday.

He further urged the government to create necessary legislation to prevent incidents of this nature.

Cyber security expert Nrupesh Soni says the TN security breach should be a wake-up call, so that people start understanding not to just give data away to anyone at any time.

Speaking to Desert FM yesterday, he urged citizens not to hand out identification documents to just anyone.

DECISIVE ACTION NEEDED TO REGAIN TRUST

He called on TN to take decisive action to regain the trust of the public and ensure client’s data is encrypted going forward.

“It shouldn’t even be accessible by their own employees without proper access systems in place, like most other countries do. But here, it seemed like it was on a server where everybody, all employees had access.”

Soni said the time frame provided to TN by the extortionist suggests that they could have called in outside help.

“I can’t say for sure that they could have prevented the situation, but when something like this happens and they had two weeks to work on it, they could have called in outside help.”

Soni said it’s understandable that TN didn’t want to pay the ransom or negotiate but knowing that so much data was at risk and still denying it, is where he believes people drew the line, especially industry players.

He urged citizens to be a bit more vigilant and not to click on any link forwarded to them via email or text.

On the issue of the policies passed to Cabinet by the information ministry, Soni said the enactment of the data protection legislation will help in holding organisations accountable when it comes to keeping private data safe.

“They will have to use it responsibly because otherwise there will be an impact on them. There will be fines and other punishments in place.

And that’s very critical because right now what’s happening is all the many state-owned enterprises call themselves the custodians of data,” he said.

Police inspector general Joseph Shikongo yesterday said he was not aware of any personal data of individuals leaked on social media.

Yesterday, Affirmative Repositioning (AR) leader Job Amupanda blamed the distribution of personal information of individuals, including president Nangolo Mbumba, on social media on the Namibia Central Intelligence Service (NCIS).

Amupanda described the leak as a “big intelligence failure”.

On Sunday, Amupanda on his social media said the hack was not just limited to TN but also involved other institutions, including commercial banks.

He said the country’s security institutions only focus on spying and intelligence, not national security.

“We are not safe with people who put Swapo and their stomach first, before national security,” he wrote on social media.

NCIS director general Benedict Likando did not answer numerous calls to his cellphone yesterday.