Prominent security researchers recently disclosed a security incident in a Ugandan stock exchange firm, Uganda Securities Exchange (USE), that involved the firm being caught leaking their customers’ and partner companies’ highly confidential information.
The security incident happened upon a researcher’s routine scan of misconfigured databases within the Shodan search engine platform. During the scan, a server owned by the USE’s Easy Portal was caught exposing over 32GB of data on the internet. USE utilises Easy Portal, an online platform allowing its users to monitor their stock performances, statements, and account balances.
According to the researcher’s report, one port that ran on the spotted server opened a link to the Bank of Baroda – an Indian financial services company based in Uganda and is registered under the USE.
After an in-depth analysis of the massive database leak situation, it was found that all of them were highly sensitive information of the Uganda Securities Exchange firm’s clients and partner companies worldwide.
Moreover, the leaked dataset was left with no security authentication, thus allowing anyone who could discover it online to acquire, access, and exploit it for malicious activities.
The USE data exposure incident included full names, usernames, addresses, birthdates, access tokens, contact numbers, email addresses, user ID numbers, plaintext passwords, financial account details, and personal details of Ugandan and foreign national clients.
Due to the magnitude of this discovered data breach incident, the security researcher immediately reached CERT-Uganda and the USE, to no avail. The researchers assert that the actual data exposure and being unresponsive to the reports are two different issues the involved security exchange firm could face.
Last June 12, as per the monitoring of the security researchers, the 32GB of data that was initially leaked got reduced to MBs, hence presuming that authorities are keeping the situation confidential to avoid unwanted clamour from the media and the breach’s impacted entities. Furthermore, the exposed server’s IP addresses cannot be accessed anymore.
Nevertheless, since USE and CERT-Uganda have not made any statement on the issue, it remains unclear which entity was behind it, including if it was the doings of malicious threat groups. If that was the case, experts believe that the leaked dataset is now prone to exploitation for cybercriminal activities.
