KAMPALA
The Personal Data Protection Office (PDPO) in Uganda has taken decisive action against the Uganda Securities Exchange (USE) following a significant data security breach. This development comes after an investigation report was published yesterday, shedding light on the incident that was initially reported by Unwanted Witness Uganda in July 2022.
The breach came to public attention when ICT security researcher “Anurag Sen” tweeted from his Twitter handle @hak1mlukha on June 13, 2022, disclosing that the servers of the Uganda Securities Exchange had been compromised, leading to the exposure of approximately 32 GB of personal and sensitive data.
The PDPO’s investigation report, titled “Abridged Investigation Report of the Data Security Breach at the Uganda Securities Exchange (USE),” has revealed critical findings. It identified non-compliance by the Uganda Securities Exchange and its technology partner, Soft Edge Uganda Limited, with key information security policies, the Data Protection and Privacy Act, and supporting regulations. The breach occurred due to a change in firewall configuration, resulting in an open port and a violation of established change management procedures.
Moreover, the report highlighted deficiencies in the Maintenance Agreement between USE and Soft Edge Uganda Limited, which lacked necessary data protection and privacy clauses. This oversight left both parties without clear data security and privacy responsibilities.
Additionally, the breach went unnoticed for twelve days due to a failure to regularly verify the effectiveness of security safeguards.
Furthermore, Soft Edge Uganda Limited had not registered with the PDPO as required by law at the time of the incident.
“In acknowledgment of the actions taken by the PDPO in addressing our expressed concerns regarding privacy, we express our commendation for their efforts in upholding the rights of individuals with regard to privacy and dignity. May this serve as a definitive indication to all entities involved in the collection and processing of personal data that the primacy of safeguarding personal data yields substantial commercial advantages,” stated Dorothy Mukasa, Executive Director of Unwanted Witness.
The PDPO has recommended that the Uganda Securities Exchange initiates disciplinary proceedings against relevant personnel involved in the breach. Furthermore, USE is advised to implement the Information Systems Policies Manual throughout its operations, ensuring compliance with the Data Protection and Privacy Act. The exchange is expected to implement these recommendations, along with others provided in the report, within three months.
Read Full Report
About Unwanted Witness Uganda
Unwanted Witness Uganda is a civil society organization advocating for an open, secure, and accessible Internet that contributes to the realization of human rights and good governance in Uganda.