Carelessness of Third Party a Major Cause of Data Breach at USE, PDPO

140

The Personal Data Protection Office (PDPO) has concluded its investigation into the data security breach involving the Uganda Securities Exchange (USE) and its technology partner, Soft Edge Uganda Limited.

This follows an alleged data leakage that resulted into an unauthorized access to the personal data of individuals collected by USE.

In an official statement released by the PDPO on Thursday, July 13, 2023, it was revealed that Soft Edge Ltd was careless in their operations and did not follow the required ICT principles, leaving the client’s data vulnerable to the breach. Additionally, the measures to protect the data were not verified.

“The investigation found that the data security breach was caused by non-compliance with the Information Systems Policies Manual, the Data Protection and Privacy Act, and supporting Regulations.

The breach was specifically attributed to a change in the firewall configuration that left a port open, which did not follow the established change management procedures,” part of the findings read.

Another significant cause of the breach according to the investigations was unclear agreements between the parties regarding data maintenance and the different types of data allowed to be shared.

“Additionally, there were critical areas of non-compliance with the Data Protection and Privacy Act and supporting Regulations. For instance, the Maintenance Agreement between USE and Soft Edge Uganda Limited lacked necessary data protection and privacy clauses. It failed to specify the types of personal data to be shared and the obligations of both parties to ensure data security and privacy. This inadequacy left the parties without clear data protection and privacy-related responsibilities,” the findings indicated.

However, PDPO’s findings did not reveal the extent of the implication to the clients, considering the nature of the data that was exposed, such as the downloaded data, number of USE portal sign- and trading related scams. The data regulatory body has promised to take action against USE and Soft edge Ltd.

“The PDPO has commenced enforcement action against USE and Soft Edge Uganda Limited for noncompliance with the Data Protection and Privacy Act, and supporting Regulations in areas where violation of the law was established,” the PDPO press release read in part.

The PDPO is the national body responsible for the implementation of the Data Protection and Privacy Act and attendant Regulations. PDPO coordinates, supervises and monitors all organisations collecting and processing personal data within Uganda and outside Uganda where it relates to Ugandan citizens.