NSS allegedly hit by data breach as 700,000 people's documents leak online

Data of persons across Ghana allegedly exposed, web security firm

NSS is the government agency for mandatory public service for graduates

Noam Rotem and Ran Locar discover alleged NSS data breach

It is important to note that the Public Relations Officer of the NSS Armstrong Essah, when contacted by GhanaWeb via phone on December 20, 2021, stated that

Read full articlethe scheme is not aware of the said data breach.

A team of researchers from web security firm, vpnMentor has allegedly discovered what they term as a ‘massive data breach’ at the National Service Secretariat (NSS).

In an email correspondence with GhanaWeb, the researchers led by Noam Rotem and Ran Locar said they discovered that the NSS was using Amazon Web Services to store over 3 million files collected from the public through its various activities.

“As a result, up to 700,000 people from across Ghana were exposed to fraud, hacking, and identity theft – not to mention the dangers posed to the institutions they were working at and the Ghanaian government itself,” they told GhanaWeb and also published their findings in a blog post.

The web security firm added that while the NSS had password-protected the files, “a major oversight by whoever was in charge of organizing the documents, the password protection ended up being useless since other files with the same data were accessible in another folder in the same bucket.”

“Finally, many of the documents containing the NSS logo and text directly related to the scheme. Once we confirmed that the NSS was responsible for the data breach, we contacted the agency to notify them and offer our assistance. However, we never received a reply from the NSS,” it continued.

To further ascertain these findings, vpnMentor said it reached out to Ghana’s Computer Emergency Response Team (CERT-GH) twice of which they received a reply on a second try requesting more information.

"After disclosing the situation to them, CERT-GH replied: My team has verified and confirmed the vulnerability. A report has been prepared and shared with the CERT coordinating Gov Agencies incidents. We will be following up to ensure that the issue is resolved ASAP.”

In response, the web security firm revealed, "We followed up several times to Ghana’s CERT, but never received a reply back. We also reached out to Ghana’s government, unfortunately without success"

"We followed up several times to Ghana’s CERT, but never heard back from them again. We also reached out to Ghana’s government, unfortunately without success" it added.

Brief summary of the findings:

The web security firm revealed the data breached ranged from March 2018 to present [2021] while the size of data in gigabytes is approximately 55GB.

Also, the suspected number of files is 3,814,795 and the number of people exposed is most likely 500,000-600,000 with potentially up to 700,000 exposed, according to vpnMentor.

The types of data exposed were PII data, ID cards, employment and educational records among others. The potential impact of the breach however is phishing, fraud, ransomware, anti-government dissent, misinformation and extortion.

Meanwhile, the Public Relations Officer of the NSS, Armstrong Essah when contacted by GhanaWeb via phone on December 20, 2021, indicated that they were not aware of the said data breach as at the time of filing this report.