Noam Rotem and Ran Locar researchers for VPNMentor stated that Ghana's National Service Secretariat – NSS – has encountered a significant database malfunction that compromised data of up to 700,000 individuals from and around the country, totaling 55GB of data.
According to researchers, this leak poses a serious risk to Ghanian government employees affiliated with the organization as well as thousands of its people. The exposed database was identified on September 29, 2021, and the NSS and CERT-GH were contacted between October 6th and 12th, 2021.
NSS is essentially a government initiative that oversees a year of mandatory public service for Ghana-based graduates of selected educational institutions. Every year, thousands of students enroll in this program to work in various public areas such as healthcare.
As per the VPNMentor research, the NSS used Amazon Web Services (AWS) to store approximately 3 million files from its various applications.
Although some of the documents in the cloud storage account were password-protected, the majority of the files were still accessible to the public as well as the database.
“While the NSS had password-protected many documents stored on the S3 bucket, the bucket itself was left completely open, leaving the contents totally exposed and easily accessible to anyone with a web browser and technical skills,” VPNMentor’s report read.
This breach exposes the personal information of at least 700,000 people, leaving them vulnerable to fraud, identity theft, and hacking scams. Furthermore, employees working for the government agency have become subject to a variety of threats.
The compromised database contains participants' program membership cards and identity documents, such as the Ghana National Health Insurance Scheme, professional IDs based on the candidate's placement industry, and so on.
Moreover, the organization saved several types of passport photographs submitted by participants. The Computer Emergency Response Team of Ghana (CERT-GH) has acknowledged that the database was compromised and has stated that the problem will be resolved as soon as possible.