I am going to paint pictures with this piece. Pictures from the past, from today, and predictions for the future, then I will create a nexus between the three and drop my pen, leaving you to make your inferences. But be aware that your inferences, perceptions and opinions about the issues I will raise is entirely your responsibility. Let’s get to business.
First, me. Who I am. It is not necessary for you to know, but the knowledge can afford you the visual stimulus to absorb what you are about to read with better understanding, stronger opinion-forming temerity, and an overall grip of the mood of the article. My name is Quadri Abdulbaseet, a Financial Technology (FinTech) Analyst and fast-rising social commentator whose opinions are reports from the lenses of objectivity and a clear conscience. I have been interested in personal data and issues bordering on digital transaction confidentiality for almost a decade now.
Matters of digital transaction confidentiality can seem so far-fetched for so many people and it is understandable because the custodians of the small details are not always willing to volunteer them. I have told the stories I tell clandestinely up until now because I sense a shift in the way things will be done from now on, but before we get to the shifts, here is something you have to know about the personal data you surrender to your banks, and what has been going on with it all this while.
In the not-so-distant past, some 14 years ago, it was super easy to find you if I had the faintest access to bank servers and database repositories. And then, I absolutely did not need any form of advanced digital sleuthing skills to gain this access. I only had to make a couple of swipes here, run a couple of password-breaking algorithms there, and voila! I see nearly all records of your personal information provided to your bank, and I can do whatever I want to do with it.
In March of 2008, Heartland Payment Systems, a U.S.-based payment processing and technology provider, experienced the biggest data breach in their history. At the time of the breach, Heartland was processing north of 100 million credit card transactions per month for 175,000 merchants. The breach was discovered by Visa and MasterCard nearly a year later, in January 2009, when Visa and MasterCard notified Heartland of suspicious transactions. The attackers exploited a known vulnerability to perform a SQL injection attack. The impact was the exposure of 134 million credit cards. The company paid an estimated $145 million in compensation for fraudulent payments. In July of 2013, Capital One, an American bank holding company specializing in credit cards, auto loans, banking, and savings accounts, identified a security breach of its customer records that exposed the personal information of its customers, including credit card data, social security numbers, and bank account numbers. The impact? 106 million credit card numbers we exposed. In September of 2014, The Home Depot, the largest home improvement retailer in the United States, supplying tools, construction products, and services, announced that its POS systems had been infected with a custom-built malware, which posed as anti-virus software. The impact? Exposure of the credit card information of 56 million customers. In Nigeria, and even in more recent times, data breaches have become a cause for concern. In September of 2020, a self-acclaimed hacker, one Ihebuzo Chris, posted a video on Twitter where he spoke about Access Bank’s security vulnerabilities and flipped through pages of an A-4 paper containing what he said were the bank’s customers’ sensitive personal information. In the same month, another hacker boasted on Twitter that he had Unity Bank’s customers’ data which he threatened to share with the public in “dumps”. In June of 2019, a 67-year-old woman was arraigned before an Igbosere Magistrates’ Court, Lagos, for allegedly hacking into a First Bank Plc account and stealing the sum of N16.2million. Over 40% of business executives argue that exposure and loss of personally identifiable information pose the most significant risk to their companies.
Those are just recent popular examples of bank hacks in Nigeria, and again, those are just hacks, involving algorithms, ransomware, bloatware, and spyware. There are several ways personal information can be obtained: initiating fraudulent deals to obtain data, impersonation of close relatives or close business associates to obtain data, opening suspicious or offshore accounts in someone else’s name and running integration with legal bank accounts using the encountered bottlenecks to obtain true data. The means are endless. These are the ploys and schemes the Hushpuppi’s and Mompha’s of today deploy to infiltrate bank data reserves, find data, and use data.
Data breaches still happen today, in the banking sector and outside of it. Internationally, LinkedIn had a data breach in June of 2021 impacting 700 million users, Sociallarks, a rapidly growing Chinese social media agency, had a data breach in January of 2021 impacting 200 million of their records. In January of 2021 too, Bonobos, the popular men’s clothing store, had a data breach impacting 12.3 million of their customer records. Similar situations happened to MeetMindful and Pixlr too in 2021. Recent records in the finance sector have smaller breaches going on here and there leading many to begin relying on cryptocurrencies…until the acclaimed father of all crypto, Bitcoin, was so publicly and so overwhelmingly hacked, using twitter as the phishing tool [phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message] and not just the accounts of any one and every one, but the accounts of icons and celebrities (and even companies) who have their financial records sealed as tight as can be possible: Barrack Obama, Joe Biden, Bill Gates, Elon Musk, Floyd Mayweather, Jeff Bezos, MrBeast, Michael Blomberg, Warren Buffet, Kim Kardashian, Kanye West, Apple, Uber, Cash App. This attack, occurring between 8pm and 10pm UTC on July 15, 2020, reportedly targeted 130 high profile twitter accounts.
The question becomes: where do we go from here? What is the future going to look like with the realities of Personal Data breaches today? What measures are being taken? Cryptocurrency first posed as the answer, but just as the bitcoin hack showed, cryptocurrency, while hosted on the very trusted blockchain distributed ledger system (DLT), has one major flaw: it is private, its miners unknown, and its minter unknown. When it fails, who would you hold accountable? When your private key is cracked, how do you rectify? Which government help can you call on to initiate Anti-Money Laundering (AML) protocols to track and recover your information? The solution therefore is, for as much as we have theorized its benign practicality, a system run on DLT, but distributed in retail to existing custodians of money with fiscal policies and protocols that already protect customers’ money and enables quick recovery should a hack happen. This is the exact design of Central Bank Digital Currencies (CBDCs) setup. This setup ensures that phishing, impersonation and other forms of identity theft schemes fail from the start. The biggest, and if done right, only vulnerability to it is hacking, and that too can be prevented by being dutiful, consistent and frequent in running digital security checks on the backbone systems the CBDCs are hosted on.
The Central Bank of Nigeria has set up its own CBDC called the eNaira and plans to launch it on October 1. eNaira, reportedly run on the DLT, will be a Legal Tender for Nigeria pegged on the Naira, will run a 2-Tier Retail CBDC Model, users having account-based wallets, and approach personal data-collection and storage for onboarding with a Tiered AML/KYC Approach (NIN, BVN as unique identifiers). With tried and tested AML, CFL and KYC protocols running on top of the DLT system for eNaira, there is hope for user data protection. NITDA’s 2019 Data Protection Regulation can now have a good peg to actuate its mandates to the fullest on all financial and non-financial entities who collect user data.
This is what the future looks like in Nigeria. The conclusions to draw are now left for you. What are your perceptions? What are your opinions? What are your inferences? Do you have hope? Will the eNaira deliver? I sure hope it does. We will see. Thank you for coming with me on this little data-driven adventure and have a good evening from Niger State.
Quadri Abdulbaseet is something of a mixture of nearly all programming and tech-based skills you can find today. He is the Jack of all those trades, but a master of data and privacy-related algorithm designs, by choice. Quadri is a freelancer who has worked with private digital security agencies whose interfaces and backbone technologies protect a lot of social and messaging media apps from being hacked. Quadri is 37 years old and married with 3 kids.