A number of Uganda Securities Exchange (USE) employees are set to be relieved of their duties as a result of a cyber breach that exposed their customers.
The Personal Data Protection Office (PDPO) made this recommendation following an investigation into the data security breach at USE last year.
This office is the national body responsible for the implementation of and enforcement of the Data Protection and Privacy Act and attendant Regulations in Uganda. It coordinates, supervises and monitors all organisations collecting and processing personal data within Uganda and outside Uganda where it relates to Ugandan citizens.
PDPO revealed in a statement that they had completed their investigation into the data security breach involving the Uganda Securities Exchange (USE) and its technology partner, Soft Edge Uganda limited, which resulted in unauthorised access to the personal data of individuals whose data was collected by USE.
“The investigation found that the data security breach was caused by non-compliance with the information systems policy manual, the data protection and privacy act, and supporting regulation,” reads part of the statement.
The breach was specifically attributed to a change in the firewall configuration that left a portal open, which did not follow the established change management procedures.
Further, the PDPO stated that there were critical areas of non-compliance with the Data Protection and Privacy Act and accompanying regulations. Noting that the maintenance agreement between USE and Soft Edge Uganda Limited lacked critical data protection and privacy provisions.
“For instance, it failed to specify the types of personal data to be shared and the obligations of both parties to ensure data security and privacy. This inadequacy left the parties without clear data protection and privacy-related responsibilities,” the PDPO said.
The other significant finding was that both USE and Soft Edge Uganda Limited failed to regularly verify whether the implemented security safeguards were effective saying that ‘ This oversight led to the data security breach going unnoticed for twelve (12) days,”
“Therefore, PDPO recommends that USE initiates disciplinary proceedings against relevant personnel as per its employee policies due to their role in the breach,” ordred USE.
Furthermore, the PDPO recommends that USE ensures that the Information Systems Policies Manual is implemented throughout its operations and that reviews and updates are made to the policy and data-sharing agreements to ensure compliance with the Data Protection and Privacy Act and supporting Regulations.
USE is expected to implement the above recommendations and others provided in the report within three (3) months.
This investigation was prompted by research findings by Anurag Sen, a prominent IT security researcher known for identifying vulnerable servers and alerting relevant authorities before it is too late.
It all started when Anurag was searching Shodan for misconfigured databases and came across a server that exposed more than 32GB of data to the public. According to Anurag, the server belonged to the Uganda Security Exchange’s Easy Portal.
Easy Portal is an online self-service portal that allows users and trading entities to view stock performance, statements, and account balances.