The African Union wants you to have full data sovereignty

Uganda places seventeen under surveillance for $17M breach

and

Dec 07, 2024

CybAfriqué is a space for news and analysis on cyber, data, and information security on the African continent.

During a Data Protection course I took in September, a reading material led me to do a deep dive into issues around data privacy and protection in Africa. My conclusion was that Africans’ indifference to privacy issues is grossly exploited. Brazenly! Perhaps the time for that to stop has come.

Hello there, this is Noah. It took me an extra 20 minutes to add this very paragraph because I am very excited to be writing to you. I hope you enjoy reading this edition as much as I enjoyed writing it.

— Noah

HIGHLIGHTS

The African Union wants you to have full data sovereignty

In continued conversation about transparent data privacy practices, the African Union Commission on Human and Peoples’ Rights has adopted a resolution calling on member states to hold organizations, especially big tech platforms accountable for their obligation of making personal data available and easily accessible to African data subjects as required by the Malabo Convention and other global data privacy law. The resolution calls on member states to hold public and private organizations accountable for making personal data being collected and processed available and easily accessible to their African data subjects.

The Right of Access is a guaranteed right of data subjects as stated in several global, regional, and national data privacy and protection rights. According to Article 15 of the GDPR: The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information. This basically means that you are informed of the purpose for which your data is collected, the people who will have access to your collected data, and the specific type of data collected, and that you retain a right to erase your data whenever you want.

Many organizations, especially big tech platforms, despite these laws, find it easy to deny Africans their rights to data sovereignty, especially as regulations and infrastructural issues limit oversight. As we’ve seen even as recently in the case of LinkedIn, large corporations still use collected data for unstated purposes. In Nigeria, data submitted to the National Youth Service Corps has been found in the capacity of politicians who then use them to send targeted political campaigns. Studies also show that students in African universities have minimal to zero data autonomy.

The resolution calls on African nations to ensure that even private actors with overriding public interest in access be made to ensure subjects' information be made publicly available by default, as it is obtainable in other climes.

Seventeen under surveillance in relation to the Bank of Uganda Breach

One of the leading highlights of last week’s newsletter was about the breach of the Ugandan Central Bank by a threat actor known as “Waste” who stole 62 billion shillings ($17 million) from its accounts. This story has surprisingly taken a different turn. New reports state that the operation included insiders, which are staff of the Uganda Central Bank and the nation’s finance ministry.

This new revelation emerged after an investigation was ordered by authorities. The Ugandan Minister of Finance Henry Musaizi, while confirming the breach, also said that the theft is not up to $17 million as popularly reported but refused to provide accurate figures until the conclusion of the probe.

Insider involvement in finance fraud like this isn't uncommon on the continent, especially as it intersects with underlying socioeconomic issues such as corruption and economic despondence. As the Chief Risk Manager of the Central Bank of Nigeria once said, “The biggest problem with fraud today is insider fraud.” His opinion is still confirmed by incidents like this.

Fingers have been pointed to at least 17 people who are being investigated in the probe with ongoing recovery efforts. Suspects include nine people from the Bank of Uganda, six from the Finance Ministry, and two from the Accountant General’s office. Suspects are reportedly under tight security surveillance, with their gadgets such as laptops and smartphones being confiscated to assist in digital forensics efforts used to investigate the incident and track and recover stolen funds.

According to reports, the nation’s Criminal Investigations Directorate (CID) alongside the bank has promptly sent alert notices to Japan, UK authorities, and INTERPOL’s Headquarters. So far, funds running into over $11m traced to UK accounts have been frozen as unconfirmed leads to three other countries are still being investigated.

Although catching the trails of cyber-enable fraud can be challenging, the collaboration between countries and cross-border enforcement agencies can facilitate effective investigation and successful recovery of funds as we’ve noticed in recent times, including in INTERPOL’s operations in Africa.

Do you find value in the CybAfriqué newsletter? Share to support the work we do.

A 2023 Organized Crime Index produced in partnership with Interpol’s Institute for Security Studies, ranked Kenya top in Africa in cyber-dependent crimes, ahead of Nigeria and South Africa.
According to the National Crime Research Centre, the leading types of crimes reported in the country last year were computer fraud, identity theft, impersonation, and interception of electronic messages or money transfers. This article details how Kenya became a cybercrime hotspot.

Still on Data Protection and Privacy in Africa. A digital rights inclusion and advocacy group, Paradigm Initiative (PIN) has sued the National Identity Management Commission (NIMC) the agency in charge of Nigeria’s Identity database for failing to safeguard Nigerians' data. The Executive Director of PIN, Gbenga Sesan said the case which is set for hearing in January 2025, was filed at the Federal High Court Abuja in October 2024, months after NIMC denied reports of another alleged breach of its database compromising millions of Nigerians' information in June.