In June 2023, the Uganda Securities Exchange (USE) encountered a severe data security breach, causing alarm over the privacy and protection of personal data. The incident raised pertinent questions about the robustness of data protection measures and the compliance of organizations with data protection laws. In this comprehensive report, we will delve into the intricate details of the breach, explore its underlying causes, and highlight the far-reaching implications for consumers and businesses alike.
The Role of the Personal Data Protection Office: Uganda’s Personal Data Protection Office (PDPO) serves as the regulatory authority for data protection and privacy matters. Operating under the National Information Technology Authority, Uganda (NITA-U), the PDPO ensures the implementation and enforcement of the Data Protection and Privacy Act, 2019. Among its key responsibilities are overseeing compliance, conducting investigations, and providing guidance to entities in the protection of personal data.
Understanding the Uganda Securities Exchange (USE): Established in 1997, the Uganda Securities Exchange (USE) operates as an approved securities exchange, facilitating the trading of securities. Governed by a board of directors, including licensed broker/dealer firms, investment advisors, and representatives of investors and issuers, USE plays a vital role in Uganda’s capital markets.
Unraveling the Data Security Breach: The breach at USE came to light through a letter addressing the general public, coupled with a complaint lodged by Unwanted Witness, a Civil Society Organization. Additional reports surfaced via a tweet, a security platform publication, and an article in the Daily Monitor. The breach primarily involved unauthorized access to USE’s technology third-party logging servers, compromising the privacy and integrity of personal data stored in the Easy Portal system.
Investigation Findings: The PDPO conducted a thorough investigation into the breach, unearthing crucial findings that shed light on the scope and causes of the incident. The investigation centered around two key issues:
1. Confirmation of the Data Security Breach:
The PDPO investigation unequivocally confirmed that USE experienced a data security breach. The breach occurred due to an erroneously configured firewall on the audit logging server. During an upgrade of USE’s Know Your Customer (KYC) system, this misconfiguration inadvertently left an open port, enabling unauthorized access to personal data for approximately twelve days.
The accessed information encompassed sensitive details such as National Identification Numbers (NINs), names, dates of birth, email addresses, physical addresses, and telephone numbers of individuals. Notably, the breach exposed personal data that Soft Edge Uganda Limited, USE’s technology partner, had accessed in the course of their contractual relationship.
2. Accountability and Compliance Assessment:
The investigation identified significant lapses in accountability and compliance with data protection regulations by both USE and Soft Edge Uganda Limited.
a) Policies and Procedures on Change Management:
Soft Edge, as USE’s technology partner, failed to adhere to the change management provisions outlined in USE’s Information Systems Policies Manual. During interviews, Soft Edge representatives acknowledged their non-compliance and admitted to not notifying USE’s help desk or IT management about the changes made. USE, in turn, neglected its responsibility as a data collector by not ensuring that Soft Edge adhered to policies protecting individuals’ personal data.
b) Incident Response and Management:
The investigation revealed conflicting practices between USE’s Information Systems Policies Manual and the Data Protection and Privacy Act, 2019. The manual’s clause granting sole discretion to the USE Chief Executive Officer in deciding whether to report a data security breach conflicted with Section 23 of the Act, which mandates reporting. Additionally, USE’s failure to detect a Twitter message disclosing the exposure of personal data exhibited negligence and prolonged the breach for twelve days. Both USE and Soft Edge failed to promptly respond, breaching their obligations as data collectors, controllers, and processors under the Data Protection and Privacy Act.
Compliance Assessment with Data Protection Laws:
The PDPO investigation extended beyond the breach itself to assess USE and Soft Edge’s compliance with other aspects of the Data Protection and Privacy Act and its associated regulations. The key findings are as follows:
a) Registration with the Personal Data Protection Office (PDPO):
Soft Edge Uganda Limited, as a data processor for USE, failed to register with the PDPO as required by Section 29(2) of the Data Protection and Privacy Act and Regulation 15(1) of the Data Protection and Privacy Regulations. This omission represents a significant violation of the law.
b) Data Sharing Agreement:
Section 21(2) of the Data Protection and Privacy Act necessitates a contractual agreement between data controllers and data processors to establish and maintain confidentiality and security measures for protecting personal data integrity. The existing agreement between USE and Soft Edge proved inadequate in ensuring the necessary security and privacy preservation. It lacked clear definitions of the categories of personal data shared and the respective obligations of the data controller and data processor. Despite the agreement predating the Act, subsequent regulations emphasized the need for alignment, leaving USE and Soft Edge in violation of the standards set by the Act and its regulations.
Implications and Next Steps: The PDPO investigation highlighted the crucial role of robust data protection measures and strict adherence to data protection regulations. To enforce the Data Protection and Privacy Act and its attendant regulations, the PDPO outlined the following steps:
a) Prosecution:
USE, Soft Edge Uganda Limited, and their accountable representatives responsible for the data security breach will face prosecution for negligence in handling personal data. Sections 35 and 38 of the Data Protection and Privacy Act prescribe penalties for unlawful disclosure and corporate responsibility for contraventions.
b) Compliance Rectification:
USE and Soft Edge have been given a three-month timeframe to rectify all non-compliant areas highlighted in the investigation report. This rectification is necessary to ensure adherence to the Data Protection and Privacy Act and its related regulations.
Consumer Protection Measures and Key Takeaways:
The data security breach at the Uganda Securities Exchange serves as a stark reminder of the importance of personal data protection and the need for stringent safeguards. As consumers, there are several measures we can take to protect our personal information:
1. Stay Informed: Stay updated on data protection laws and regulations in your country. Familiarize yourself with your rights as a data subject, including the right to know how your data is being collected, used, and stored.
2. Vigilance in Sharing Personal Information: Be cautious when sharing personal information online or with organizations. Only provide necessary details and ensure you understand the purpose and intended use of your data.
3. Strong Passwords and Secure Authentication: Use strong, unique passwords for all your online accounts and consider utilizing multi-factor authentication methods whenever possible. This adds an extra layer of security to protect against unauthorized access.
4. Regularly Monitor Accounts and Statements: Keep a close eye on your financial and online accounts, regularly reviewing transactions and statements. Report any suspicious activities or discrepancies immediately.
5. Exercise Data Subject Rights: Familiarize yourself with your rights under data protection laws, such as the right to access your personal data, rectify inaccuracies, and request deletion when appropriate.
6. Choose Trusted Service Providers: Before sharing your personal information with any organization, research their reputation, data protection policies, and compliance with relevant regulations. Opt for service providers that prioritize data security and privacy.
7. Maintain Security Software: Keep your devices and software updated with the latest security patches and antivirus software. Regularly scan for malware and ensure your operating system is up to date.
8. Be Mindful of Phishing Attempts: Beware of phishing attempts through emails, text messages, or phone calls. Exercise caution before clicking on links or providing personal information, especially if the request seems suspicious or comes from an unknown source.
9. Report Data Breaches and Privacy Violations: If you suspect your personal data has been compromised or you have experienced a privacy violation, report it to the relevant authorities or data protection office in your country. By reporting incidents, you contribute to the accountability and enforcement of data protection regulations.
The data security breach at the Uganda Securities Exchange highlights the critical importance of personal data protection and compliance with data protection laws. Organizations must prioritize implementing robust security measures, adhering to regulations, and fostering a culture of data protection. As consumers, we play an active role in safeguarding our personal information by staying informed, exercising caution, and advocating for stronger data protection measures. By doing so, we can collectively work towards a safer and more secure digital landscape that respects and protects our privacy and personal data.
