Why The Kenyan IT Industry Keeps Getting Hacked – Hint: It’s An Inside Job!

No photo availableByCarol Odero
7 min read

Getting hacked has cost Kenya billions. So when a tweet emerged in the wee hours from George Njoroge, CEO and…

jumpstory-download20200422-142144

Getting hacked has cost Kenya billions. So when a tweet emerged in the wee hours from George Njoroge, CEO and Managing Director, East African Data Handlers, Cyber and Computer Forensic guru declaring, “BREAKING; A Mobile Money company has been Hacked. Sacco’s and Microfinance banks B2C API hit, millions lost!” it was only natural to reach out to him.

Hackers may have called for a ceasefire, but that has not stopped malware from creeping into the internet. Why, just yesterday Atlas VPN released a report that over the past week alone, that being seven days, there have been more than 22 million hacks. Phishing has been particularly scammy, sending emails swearing to have healthcare solutions to Covid-19. The Gates Foundation, World Health Organization (WHO), and Wuhan Institute of Virology have all been hacked in the past 24 hours with thousands of emails, passwords, and documents all leaked online.

Bringing it back to our corner of the world, the entity that was hacked inspired a one-on-one with George where the hackers’ dust never truly settles.

How can Saccos digitalise and stop themselves from getting hacked?

The biggest problem that a lot of Saccos have is the sophistication required to digitise them, and the cost required is very prohibitive. If you look at say, getting a switching system, getting inhouse security to hiring a qualified Chief Information Security Officer (CISO), it all proves very expensive. And all these Saccos are significantly small. There has to be a mechanism where they come together to provide what is a managed security service maybe even with a third party, and cost-share. Otherwise if a Sacco is looking at hiring their own qualified CISO, the salary of a head of security is around Kshs 200,000 to Kshs 300,000, and that is the same as the salaries these Saccos are offering their CEOs. They can’t find someone qualified at less than that salary.

With regard to this local hacking, what specifically was hacked? The network? Computers? 

We would be talking at the infrastructure level which is normally at the end-point. Either at the API where applications are running, or where the infrastructure is being installed.

Are there any third parties or clients who have been affected?

Remember that the money that is lost is largely the clients’ money. If your bank losses your money, it can’t call you and tell you they lost your Kshs 30m. The hack will end up affecting their bottom line when it comes to covering these losses because that is what they have to do.

Were there any visible symptoms before the hacking happened?

A system can be susceptible to things that are happening, and it is a constant problem. UNAITAS Sacco came forward and issued a statement to the effect that they were not the ones who were hacked. This tells you the level of concern, whether the concern is as a result of knowing that you are the one who got hacked or not. It resonates when someone may have lost money.

This kind of thing happens. What happens is that the symptoms are normally driven by using the same technocrats within the industry. Let me explain why. When M works for Bank A, is very good at what he does, if he does anything criminal and there is an investigation, the most natural thing is that he will end up resigning. But because of his unique set of skills, M is a very in-demand guy.

What happens then is, he goes to Bank B. Bank B they will end up picking someone who has character flaws that genuinely affect the industry owing to the fact that he has a perpetual problem, owing to the fact that he lost his Bank A job by being dishonest.

Part of the problem is the recycling of the same old IT guys within the same market. You will find that the IT security people have worked in most banks. It now becomes the genesis of the biggest problem, because now if one of them is susceptible, it is a problem still. Whether they go to Sacco A, Bank C, or Saccos B and C. So when you ask for symptoms, the symptoms begin during the recruitment process.

Any idea if it was an inside or an outside job?

Yes and no. Yes in that there are insiders who were involved. More often than not it is bound to be outsiders. But some of these activities, trade wise, have been a group of individuals that have been involved, and who are continuously recruiting. This is like a web of people who are continuously doing these kinds of things.

Is there no way to monitor this? No association, body, professional requirements, code of ethics, anything of the sort?

The IT industry is very porous. It is rather like the touting industry in that you have no idea who has worked where. Porous means people will work here and there, and become very skilled. But then again the problem is, what if we are not necessarily honest?

How quick was the response time from hacking to things getting back to normal?

About 2 hours. How much money can you move from a bank within two hours if you had the opportunity? That tells you two hours is a significant amount of time that seriously affected such.

Is this the first time this kind of hacking has happened?

Not at all.

Would you know if they have put mechanisms in place as a result of learning from their previous encounters?

I don’t know as this is not their first time nor is it their first year. It has happened over the years and to be honest I don’t see it ending. 3 to 6 months from now we will still be saying the same thing.

What is the extent of the losses to the infrastructure?

I would say that it is a patching issue. It is a generic problem that has to be fixed from the operator level.

Do you know who they will work with to design and implement a security plan going forward?

Everybody has their preferred choice of vendors who they work with so it may not necessarily be one problem. And that is why you find that this patching issue becomes difficult. You will patch one Sacco/bank but the rest of the sector is not patched. So the problem perpetuates. Unlike a situation where it is fixed at the operator level, then it applies across the board.

What can Saccos do to save themselves the agony of falling victim to such attacks?

I just mentioned getting skilled labour, which is expensive. They could try secret monitoring tools, then implementing AI whether in house or by outsourcing it. By definition, AI generally defines the system by being able to look after historical data and predicting the future thus being able to spot an anomaly.

Finally, are we likely to experience more of these hacks now that Covid-19 has accelerated the pace of engagement?

Remember anything that is quickly adopted has quick challenges. So in this case you will find that one will continuously have to patch up. But that is not necessarily a bad thing. Even a human being is constantly updated with instances such as vaccinations and cell regeneration.

 

 

Leave a Reply

Your email address will not be published.

Do you have a story that you think would interest our readers? Write to us editorial@cioafrica.co