By 
The payroll validation section of the Integrated Personnel and Payroll Information System, IPPIS, on the official website of the Office of the Accountant-General of the Federation, OAGF headed by Oluwatoyin Sakirat Madein has been hijacked by unknown hackers.
IPPIS is the federal government employees’ payroll.
Similarly, workers’ personal data stored on the official website of the IPPIS Secretariat, a department at the OAGF, is also susceptible to attack.
The secure site layer feature of the website belonging to the IPPIS Secretariat had expired and remained unrenewed for over a year.
The functions of the secretariat and that of the OAGF are interconnected.
While the secretariat functions to securely manage the IPPIS, the federal government employees’ payroll, the OAGF’s area of responsibility includes the supervision of accounts of federal ministries, departments and agencies, MDAs.
Leaving the SSL unrenewed is a recipe for the breach of the data contained in the website’s directory.
Workers’ information such as surnames, middle names, first names, phone numbers, email addresses and dates of birth are exposed.
Other critical information left unsecured on the website are maiden names, dates of employment, salary structure, and grade level and steps of individual workers.
A web section named ‘IPPIS Payroll Validation’ on the OAGF’s main website has also been hijacked, too.
By clicking on that payroll validation section, a new webpage popped up, showing an unreachable web address.
“This site can’t be reached” was the message that popped up.
A further check about the web address, https://ippisportal.helixfons.com/, raises more concerning questions. The web address was registered at Kalkofnsvegur 2, Reykjavik, the capital of Iceland.
Similarly, the secretariat’s social media handles had also been hijacked by a cyber attacker.
Like many organisations, the secretariat has some social media handles, including on X and Facebook, and linked them to the website.
Clicking on the X and Facebook links takes one to different pages, indicating that a cyber attacker has hijacked them.
For instance, the Facebook link led to a page named ‘DevItems,’ a web design firm that last posted on February 9, 2020, and is supposedly based in Atlanta in the United States.
The X page takes one to a suspended handle, @devitemsllc, a handle that obviously belonged to the same web design firm.
Obviously, the health of these websites has been compromised. There is a strong indication that the information stored on them could have been exploited by internet criminals.
The Nigeria Data Protection Act, personal data is any information relating to an individual who can be identified or is identifiable, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, cultural, social, or economic identity of that individual.
To understand the sensitivity of such information as a full name, date of birth, phone number and email address, people naturally use them for banking and other financial transactions.
In the case of government workers, the information could be linked to their salary accounts and other digital accounts. With their sensitive information left unguarded by the government, they are open to privacy breaches.
Failure to protect such information, an attacker could do many things with it, such as phishing.
Phishing is the fraudulent practice of sending emails or other messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
Those credentials are also attached to their financial data because whatever information they provide must correspond with their various financial institutions. In short, it won’t augur well should an attacker have access to those credentials.
This breach in personal data of workers throws further light on why some workers have been reporting unexplained deductions from their salaries with no satisfactory word from the secretariat or even the OAGF.
Some workers affiliated with federal medical establishments including the University College Hospital, Ibadan; the National Orthopaedic Hospital, Kano; and the Ahmadu Bello Teaching Hospital, Zaria, have lamented how some portions of their salaries were deducted to service loans they did not obtain.
The exposure of these personal information just shows poor data management by public institutions
Despite the existence of laws and regulations requiring adequate maintenance of websites and the protection of citizens’ data, the failure of government institutions to effectively discharge this responsibility is public knowledge.
The National Information Technology Development Agency, NITDA and the Presidential Enabling Business Environment Council, PEBEC statutorily mandate government institutions to maintain a quality website safe for information-keeping and also enable citizens to demand quality service delivery.
Section 7.2 of the NITDA guidelines, which applies to government websites, reads in part: “Government Institutions shall: i. ii. iii. Commit to a continuous process of maintaining the security of Web Servers to ensure continued security. Use authentication and cryptographic technologies as appropriate to protect certain types of sensitive data with differing access privileges. It is recommended that SSL be used for any cryptographic implementation.”
From the police to the presidency, surprisingly, a pattern of poor management of website channels has been created.
In April, the official website of the State House was only restored to normalcy after it was reported its SSL had expired for two weeks without renewal. A similar incidence played out with the official website of the Nigeria Police Force, NPF in the same month.
A few months ago, an expose on how citizens’ national identification data had been illicitly harvested and commercialised by XpressVerify, a dodgy private website was published.
The media backlash that followed forced the National Identity Management Commission, NIMC, Nigeria’s identity management agency, to disclaim any responsibility for the breach and promise to investigate the incident. This was after the website host had deactivated the site’s domain name.
Comments