Government data leakages and cyber hygiene among civil servants

Government data leakages and cyber hygiene among civil servants

Government data leakage implies exposure of sensitive data resulting from various internal triggers (either digital or physical, often accidental), in contrast to data breaches which are caused by intentional cyberattacks.

The top reasons of data leakage include:

  • overlooked software vulnerabilities (‘zero-day vulnerabilities’), 
  • misconfiguration issues (misconfigured software and cloud storage settings, e.g. AWS S3 bucket* misconfiguration, firewall misconfiguration), 
  • social engineering attacks (such as phishing attacks),
  • weak passwords, 
  • theft or loss of devices.

Often confused with data breaches, data leaks are likely to lead to one. Data leaks can simplify cybercriminals’ access to data necessary for launching an attack and serve as an initial stage of a cybercrime. It is noteworthy that, as per the IBM Cost of Data Breach 2022 and 2024 reports, data breaches with stolen or lost credentials (i.e. data leaks) require almost 300 days to identify harder to identify and cost USD 150,000 more than an average one.A financial loss generally accounts for $4.81 million per breach. Data leaks and breaches can be caused by insufficient cybersecurity of a business partner. As indicated in the IBM Cost of a Data Breach reports of 2023 and 2024, supply chain breaches accounted for one in five data breaches. They add more than USD 220,000 in cost and take 26 days longer to identify and resolve than the global average.

Data leaks can be the final phase of a cybercrime’s lifecycle as well: confidential data is often sold or posted on the dark web, raising the chances of further attacks.

Sensitive data that can be exposed includes: 

  • Personally identifiable information (PII): e.g. names, phone numbers, addresses, social security numbers and emails;
  • Financial data: e.g. credit card numbers, tax information;
  • Account credentials: usernames, passwords and email addresses;
  • Government or business information: records of internal communications and meeting notes, performance metrics, HR data and roadmaps;
  • Trade secrets and intellectual property (IP): classified research, patents, project blueprints, testing materials, documentation related to discontinued or incomplete products, proprietary software, etc.;
  • Medical information.

With human error being a primary factor of data leaks, not only overlooked digital vulnerabilities but also lack of cyber hygiene among staff poses a major threat to the cybersecurity of the entity as employees can easily become victims of a phishing attack, which can lead to exposure of confidential data, including the aforementioned sensitive information. According to the 2024 Data Breach Investigations Report, 68% of data breaches include a human element (social engineering attacks, errors, privilege misuse), stolen credentials were used in about 24% of breaches, and nearly 12% of incidents were caused by phishing attacks.

The Spam and Phishing report of 2022 by Kaspersky, a Russian cybersecurity company, showed that 9% of Africans (including corporate users) faced a phishing attack (attacks were stopped by the company’s anti-phishing system). In South Africa, 10% of individuals reported having been affected by phishing attacks, in Kenya – 8% and in Nigeria – 7%.

At the same time, the lack of cybersecurity personnel exacerbates the risks: as per the KPMG Africa Cyber Security Outlook 2022, worldwide an estimated 3 million cybersecurity job positions were unfilled and nearly 2/3 of studied African organisations faced difficulties with recruiting qualified cybersecurity professionals. In the public sector less than one third (29%) of all organisations have enough cybersecurity resources. According to the Serianu report, an estimated number of certified professionals stood at 20,000 in 2022. 

Another common shortcoming is managing cybersecurity regarding primarily data breaches, whilst an approach taking data leakages into account can tackle the root cause that leads to data breaches (i.e. leaked sensitive information).

According to the Africa Cybersecurity Outlook of 2022, data leakages (including personal information) ranked 3rd (with a 16% share) among the cyberattacks most commonly faced by African companies. In 2023 and 2024, data breaches became the most common consequence of a cyberattack for an organization with 61% share.  The first place in the ranking was occupied by business email compromise (26%) which can also be caused by data leaks. In 2023, the number of breached accounts in Africa slightly decreased from 1 million to 980,000

In 2022, data leakage was listed among the top three cyberthreats in Eastern, Southern and Western Africa.

Since many data leakages occur due to misconfiguration issues, consistently securing a cloud or a bucket that hosts all data and double-checking its access settings is essential. For instance, in the case of AWS S3 Buckets, they should be made private and password protected.

Educating non-security staff about cyber hygiene would also significantly contribute to mitigating risks of data leakage. Furthermore, developing comprehensive data privacy and protection regulation and standards would mitigate the risks of government data leaks, simplify case resolution in this area and ensure accountability.

Solutions

Measures necessary to prevent data leaks include:

  • identifying and categorising all sensitive data;
  • adopting a zero-trust strategy;
  • simplifying access permissions;
  • using multi-factor authentication and a password manager;
  • encrypting all data;
  • evaluating vendors and business partners cybersecurity risks;
  • monitoring dark web forums and cybercriminal marketplaces.

Since many data leakages occur due to misconfiguration issues, consistently securing a cloud or a bucket that hosts all data and double-checking its access settings is essential. For instance, in the case of AWS S3 Buckets, they should be made private and password protected.

Educating non-security staff about cyber hygiene would also significantly contribute to mitigating risks of data leakage. Security measures to avoid becoming a victim of phishing attacks are the following:

  • Opening emails and links only from legitimate and trustworthy senders, bewaring of phishing emails;
  • Avoiding browsing suspicious websites and checking the URL links of questionable websites for mistakes (like a 0 instead of O, 1 instead of l, etc.);
  • Installing security software;
  • Downloading applications only from legitimate sources;
  • Using different passwords.

There are also full Data Leakage Prevention solutions (e.g. the one provided by RusHighTechExport) that allow to control information flows in public and private structures. It helps to counteract information leaks by tracking all the actions of employees on work computers, namely, control of external messages of an employee (mail, instant messengers, video conferences), control of operations with files on the workstation, database operations control, monitoring the efficiency of working time at the computer.

Furthermore, developing comprehensive data privacy and protection regulation and standards would mitigate the risks of government data leaks, simplify resolving cases in this area and ensure accountability.

Authors:

Olesya Kalashnik

Daria Sukhova

Alexandra Yankova

Ghana

In September 2021, VPNMentor’s cybersecurity researchers discovered an exposed database of Ghana’s National Service Secretariat. Due to an AWS S3 bucket misconfiguration and inconsistently set password protection, 55 GB of citizens’ data were exposed to public access, containing information of nearly 700,000 individuals. Apart from PDF files, the bucket contained unprotected and unencrypted QR codes (a total of 749,000) which led to files with sensitive information as well as the archived documents (such as employment and salary notices) without any password required.

The leaked data included programme membership cards, identity documents – photos of Ghana National Health Insurance Scheme cards, passports, professional IDs, employment and educational records, etc. – resulting in increased vulnerability of both citizens and civil servants of this public body to identity theft, hacking scams, engineering attacks.

The researchers notified the agency and Ghana’s Computer Emergency Response Team (CERT-GH) about the data exposed in October 2021. CERT-GH confirmed the data leakage and committed to taking prompt measures to resolve the issue. Whilst the VPNMentor’s team did not receive any confirmation on successful problem resolution from Ghana’s government bodies, the VPNMentor’s researchers stated to the Daily Swig (a media outlet on cybersecurity threats) that the AWS bucket had been taken down from public access making the data inaccessible to the public.

Egypt

On 23 July of 2023, Falcon Feeds, a firm monitoring dark web sources for data leakages, reported a leak of the Egyptian Ministry of Health and Population data which, as claimed by the hacker who posted it, contained personal information of 2 million citizens including names, ID numbers, diagnosis, surgeries, and other medical information. According to the firm’s research, the exposed data was put for sale on the dark web for USD 5,000.

On 31 July, the Egyptian Minister of Health and Population Khaled Abdel-Ghaffar confirmed the leak in a commentary to Cairo 24 and announced that the agency contacted security authorities of the country and the problem will be immediately resolved. As of September 2023, information on the measures taken and the problem status is not available.

Another case of citizens’ personal data leak in Egypt was discovered in February 2023 by a co-founder of Anduin, an AI-based software provider, and confirmed by Human Rights Watch. According to the HRW report, more than 72,000 records of children who had applied to take the Egyptian Scholastic Test (EST) (over the period September 2020 – December 2022) were exposed due to misconfiguration of the Amazon Web Services.

According to Human Rights Watch, the information was exposed for at least eight months and contained information on national ID, names, home addresses, emails, phone numbers, schools that children attend and universities they applied to, grade level, test score, etc.

The EST was developed in 2020 as an alternative to the SAT (a US exam) and was required for students with the American Diploma to enrol in Egyptian universities. Around March 2022, the ownership of EST was transferred to a British company established in 2021 – Egyptian Scholastic Test Ltd. (renamed to Academic Assessment Ltd. in November 2022). Thus, the Egyptian Ministry of Education distanced itself from the examination and did not respond to HRW’s request to resolve the leakage in February 2023.

Chief Executive Officer of Academic Assessment Ltd. Habib Khalil Sayegh responded that the company had investigated the exposure, but he did not respond to HRW’s questions and did not commit to rendering information inaccessible to the public. It was removed only after HRW notified Amazon about the child data privacy violation on 15 March.

The data leakage also indicated opportunities for strengthening and clarifying data protection standards and regulations in countries concerned since the details and legal aspects of the transfer of children’s personal information gathered by the government to a private British company remain undisclosed, and neither Egyptian government nor Academic Assessment confirmed ownership of the information or were obliged to fix the leak.