Authorities in Ghana are investigating an apparent data breach that may have exposed PII of hundreds of thousands of citizens of the west African country.
Researchers discovered bulk of unencrypted data tied to Ghana’s National Service Secretariat (NSS) in a storage silo from AWS.
NSS administers mandatory one-year public services programs that are compulsory for most Ghanaian graduates and involve thousands of young people working in sectors such as healthcare and education for 12 months as a form of national service.
Some of the three million files related to NSS’s work and held on an AWS S3 bucket were password protected but many were not an oversight that exposed data of an estimated 500,000-600,000 people from March 2018 to the end of 2021.
The AWS S3 bucket itself was neither encrypted nor password protected. The instance was misconfigured, and password protection was applied inconsistently so that open versions of sensitive passwords-protected files were accessible in other directories.
Information held on the cloud-based storage system included personal information, scans of ID cards and pictures as well as employment records. The same bucket also held employment notices payment receipts and internal correspondence files from the NSS.
The exposed information potentially left thousands of Ghanaians at a greater risk of phishing, tax fraud and other forms of identity fraud. Many of the documents contained the NSS logo and text directly related to the scheme.
The incident along with suggested remediation advice was reported both to NSS and Ghana’s Computer Emergency Response Team (GH-CERT). Researchers discovered the alleged breach on September 29, notifying authorities on October 6 at the start of a somewhat protracted disclosure process.