FIJ
The ‘IPPIS Payroll Validation‘ section on the official website of the Office of the Accountant-General of the Federation (OAGF) headed by Oluwatoyin Sakirat Madein has been hijacked by an unknown hacker.
Similarly, workers’ personal data stored on the official website of the IPPIS Secretariat, a department at the OAGF, is susceptible to attack, FIJ can report.
FIJ reported on Friday that the secure site layer (SSL) feature of the website belonging to the IPPIS Secretariat had expired and remained unrenewed for over a year.
The functions of the secretariat and that of the OAGF are interconnected. While the secretariat functions to securely manage the Integrated Personnel and Payroll Information System (IPPIS), the federal government employees’ payroll, the OAGF’s area of responsibility includes the supervision of accounts of federal ministries, departments and agencies (MDAs).
Leaving the SSL unrenewed is a recipe for the breach of the data contained in the website’s directory.
Following FIJ’s report, a source who sought to remain unnamed alerted FIJ to a more troubling finding about the website: workers’ details have been exposed.
With the tip-off and further findings, FIJ can now report that tons of personal data of government employees had been left vulnerable on the website.
Workers’ information such as surnames, middle names, first names, phone numbers, email addresses and dates of birth were exposed.
Other critical information left unsecured on the website were maiden names, hire dates [dates of employment], salary structure, and grade level and steps of individual workers. FIJ is unable to publish these data in this report as it will amount to a violation of the law.
FIJ further noted that a web section named ‘IPPIS Payroll Validation’ on the OAGF’s main website had been hijacked, too. By clicking on that payroll validation section, a new webpage popped up, showing an unreachable web address. “This site can’t be reached” was the message that popped up.
A further check about that web address (https://ippisportal.helixfons.com/) raises more concerning questions. The web address was registered at Kalkofnsvegur 2, Reykjavik, the capital of Iceland.
SOCIAL MEDIA HANDLES HIJACKED
FIJ further found that the secretariat’s social media handles had been hijacked by a cyber attacker.
Like many organisations, the secretariat has some social media handles, including on X and Facebook, and linked them to the website.
Clicking on the X and Facebook links takes one to different pages, indicating that a cyber attacker has hijacked them.
For instance, the Facebook link led to a page named “DevItems,” a web design firm that last posted on February 9, 2020, and is supposedly based in Atlanta in the United States.
The X page takes one to a suspended handle (@devitemsllc), a handle that obviously belonged to the same web design firm.
Obviously, the health of these websites had been compromised. From FIJ’s observation, there is a strong indication that the information stored on them could have been exploited by internet criminals.
IMPLICATION IN HINDSIGHT
Per the Nigeria Data Protection Act, personal data is any information relating to an individual who can be identified or is identifiable, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social, or economic identity of that individual.
To understand the sensitivity of such information as a full name, date of birth, phone number and email address, people naturally use them for banking and other financial transactions.
In the case of government workers, the information could be linked to their salary accounts and other digital accounts. With their sensitive information left unguarded by the government, they are open to privacy breaches.
Failure to protect such information, according to the source who provided the tip-off, an attacker could do many things with it, such as phishing. Those credentials are also attached to their financial data because whatever information they provide must correspond with their various financial institutions. In short, it won’t augur well should an attacker have access to those credentials.
FIJ’s findings could explain why some workers have been reporting unexplained deductions from their salaries with no satisfactory word from the secretariat or even the OAGF.
In a report on February 8, Idris Abdulkabir, a civil servant based in Kaduna State, told FIJ his unsolicited loan deductions from his salary could lead to his death.
“If I die from overthinking, please hold IPPIS responsible for removing my money indiscriminately and sending it to a loan agency I know nothing about,” Abdulkabir said.
The report also spotlighted the experiences of some other workers affiliated with federal medical establishments including the University College Hospital, Ibadan; the National Orthopaedic Hospital, Kano; and the Ahmadu Bello Teaching Hospital, Zaria.
In October, some workers lamented how some portions of their salaries were deducted to service loans they did not obtain.
“I didn’t collect a loan from any of such loan accounts. It is very obvious that this loan account committed this fraud in collaboration with some staff of the IPPIS in Abuja. I took a loan which has been offset since April 2023. I do not owe anyone,” an Ondo State-based government worker told FIJ in October.
Last November, FIJ also reported how N129,650 was deducted from a worker living in Lagos State. “I can’t comprehend IPPIS’s actions with my funds during these challenging times. After deducting the money from my account, IPPIS failed to pay Credit Direct what I owed. I am exhausted,” he told FIJ.
In all of those reports, the secretariat never responded to FIJ’s requests for comment.
POOR DATA MANAGEMENT BY PUBLIC INSTITUTIONS
Despite the existence of laws and regulations requiring adequate maintenance of websites and the protection of citizens’ data, the failure of government institutions to effectively discharge this responsibility is public knowledge.
The National Information Technology Development Agency (NITDA) and the Presidential Enabling Business Environment Council (PEBEC) statutorily mandate government institutions to maintain a quality website safe for information-keeping and also enable citizens to demand quality service delivery.
Section 7.2 of the NITDA guidelines, which applies to government websites, reads in part: “Government Institutions shall: i. ii. iii. Commit to a continuous process of maintaining the security of Web Servers to ensure continued security. Use authentication and cryptographic technologies as appropriate to protect certain types of sensitive data with differing access privileges. It is recommended that SSL be used for any cryptographic implementation.”
From the police to the presidency, surprisingly, a pattern of poor management of website channels has been created.
In April, the official website of the State House was only restored to normalcy after FIJ reported its SSL had expired for two weeks without renewal. A similar story was written about the official website of the Nigeria Police Force (NPF) in the same month.
On data breaches, FIJ exposed how citizens’ national identification data had been illicitly harvested and commercialised by XpressVerify, a dodgy private website.
The media backlash that followed forced the National Identity Management Commission (NIMC), Nigeria’s identity management agency, to disclaim any responsibility for the breach and promise to investigate the incident. This was after the website host had deactivated the site’s domain name.
