Ghana’s National Service Secretariate – NSS – exposed 55GB worth of citizens’ data when an AWS S3 bucket used by the Secretariate suffered misconfiguration.
VPNMentor’s cybersecurity researchers Noam Rotem and Ran Locar reported that Ghana’s National Service Secretariate – NSS – suffered a massive database misconfiguration that exposed data of up to 700,000 citizens from across the country, amounting to 55GB of data.
Researchers believe this breach poses a great risk for the Ghanian government officials associated with the agency and thousands of its citizens. The exposed database was discovered on 29 September 2021, and NSS and CERT-GH were notified between 6th and 12th October 2021.
What is NSS?
NSS is basically a government program that manages a compulsory year of public service for Ghana-based graduates from specific educational institutions. Thousands of students join this program every year to work in different public sectors such as healthcare.
How the NSS Got Attacked?
According to VPNMentor’s report, the NSS was using Amazon Web Services (AWS), where it stored over 3 million files from its different programs. Some of the files in the cloud storage account were password-protected, most of the files were still exposed to public access as well as the database.
SEE: 9,517 unsecured databases identified with 10 billion records globally
“While the NSS had password-protected many documents stored on the S3 bucket, the bucket itself was left completely open, leaving the contents totally exposed and easily accessible to anyone with a web browser and technical skills,” VPNMentor’s report read.
Data of at least 700,000 individuals got exposed in this breach, making the individuals vulnerable to fraud, identity theft, and hacking scams. Moreover, those working at the government agency have also become vulnerable to various attacks.
Which Information got Exposed?
The exposed database contained program membership cards and identity documents of the participants, including the Ghana National Health Insurance Scheme, professional IDs according to the candidate’s placement industry, etc.
An NHIS member’s ID card among the exposed data
Furthermore, the agency stored different types of passport photos that the participants submitted. The Computer Emergency Response Team of Ghana (CERT-GH) has confirmed that the database was exposed and has confirmed to resolve the issue ASAP.
SEE: 47% of online MongoDB databases hacked demanding ransom
“A report has been prepared and shared with the CERT coordinating government agencies. We will be following up to ensure that the issue is resolved ASAP,” CERT-GH stated.
