PDPC widens probe into COE cyberattack affecting 350k members as hackers run 680k queries

Context The Personal Data Protection Committee (PDPC) in Nigeria is intensifying its probe into a cyberattack that compromised the Council of Engineers (COE). This action follows the discovery of extensive data exposure affecting a substantial portion of the COE’s membership. The PDPC seeks to ensure compliance with the Personal Data Protection Act and accountability for the breach.

Key Facts The breach, detected on April 17, occurred during a system upgrade from COE Service 2 to COE Service 3. This process, involving heavy data transfers, created temporary vulnerabilities, specifically disrupting access controls – the mechanisms that restrict who can view or modify information. Hackers exploited this window, running approximately 680,000 automated queries over a 10-hour period. These queries extracted sensitive personal data, including names, addresses, phone numbers, and professional license details across seven engineering fields. Up to 350,000 Council of Engineers members had their personal data exposed. The COE expresses concern that this stolen data could facilitate call center scams, impacting engineers nationwide.

What It Means The PDPC is stepping up inspections and enforcement actions. This includes mandating specific remedies for all affected individuals and considering criminal action against those found responsible for the data compromise. Organizations must recognize that system upgrades, while necessary, present critical windows for attack if not managed with stringent security protocols. Robust access control measures are paramount, ensuring that even during maintenance, unauthorized queries are blocked. Regular security audits and proactive vulnerability management are essential to identify and close potential weaknesses before they can be exploited. This incident highlights the imperative for organizations holding sensitive personal data to implement layered security defenses.

The expanded PDPC investigation and its subsequent enforcement actions will establish key precedents for data protection standards across Nigeria. Organizations should review their incident response plans and data migration strategies immediately.