Officials in Ghana are looking into an alleged data breach that might have exposed the personal information of thousands of Ghanaians. Researchers from vpnMentor claim to have uncovered a goldmine of unencrypted material related to Ghana’s National Service Secretariat (NSS) in an Amazon Web Services (AWS) storage silo.
NSS oversees one-year public service programs that are required of most Ghanaian graduates and includes thousands of young people working for a year in fields such as healthcare and education as part of their national service. According to vpnMentor, some of the three million documents connected to NSS’s work stored on an AWS S3 bucket were password secured. But many were not — a mistake that exposed the data of estimated 500,000-600,000 persons from March 2018 until the end of 2021.
The AWS S3 bucket was not encrypted or password-protected in any way. As per vpnMentor, the instance was misconfigured and password protection was administered inconsistently, allowing open versions of sensitive password-protected files to be accessed in other directories. Personal information, scans of ID cards and photographs, as well as employment records, were all stored on the cloud-based storage system. The NSS’s job notices, payment receipts, and internal communication files were kept in the same bucket.
Thousands of Ghanaians might be in danger of phishing, tax fraud, and other types of identity fraud due to the exposed information. According to vpnMentor researchers, many of the documents had the NSS logo and language explicitly relevant to the scheme. The event (along with proposed remedy suggestions) was reported to NSS and Ghana’s Computer Emergency Response Team (GH-CERT).
On September 29, vpnMentor detected the alleged breach and notified authorities on October 6, kicking off a lengthy disclosure procedure. In follow-up inquiries, GH-CERT was asked whether any exposed AWS S3 buckets had been made publicly unavailable. But no response has yet been received.