A year ago, Access Bank Kenya was hacked and sensitive records belonging to its clients’ shared online after the bank’s management failed to pay the ransom that the hackers had demanded.
That time, Kenya was still grappling with debates over data protection laws; one was in the floor of the senate and the other at the National Assembly.
Worse still, the bank, then known as Transnational, hasn’t made any efforts to erase the data from online platforms where most are still on sale.
System audit exposed the bank’s weakness
An audit report prepared by the firm Ernst & Young LLP on the information and communication technology controls of Transnational Bank, paints a grim picture of the ICT system at the bank.
One of the revelations that caught the eyes of this KenyanBusinessFeed.com editor was under ‘the inadequate password and security settings’. The report stated, ‘the passwords did not meet the minimum complexity requirements’. They also allowed ‘Concurrent multiple logins’, on the ‘Chapaa Popote, Chequepoint Truncation System, Paynet and Simba HR Cube systems’.
The second pointer to weak systems in the audit report was ‘inappropriate access to IT administrator role in Chequepoint and Simba HR Cube System’. The audit signed by EY Risk Advisory Leader for Eastern Africa Mr Robert J. Nyamu, stated that ‘business users had access to administrative IT rights and could create new users’. It also said, ‘review of inward cheque processing on the application, we observed as the user used the ‘Admin’ account to approve the cheque files after upload and adoption by the clearing clerk.
This ‘increase the risk of overriding controls within the application’, which could, lead to ‘unauthorized activities conducted on the payroll’.
The third weakness was ‘Lack of role monitoring of users and user activity in systems, which posed a ‘risk that application access violations and inappropriate transactions may not be identified in a timely manner”
The fourth weakness is ‘System issue with reset accounts on Chequepoint Truncation System. This posed the “risk of user intentionally or unintentionally interfering with financial information by gaining access to more than one user account on the application”.
The last risk was about the Server Room, where the auditors noted the weak access control of the server room.
“During the review of the server room, the following weaknesses were noted: The floor on the server room is raised using wooden material which is combustible. Other combustible materials noted include; the material used for the ceiling and a wooden plank lying on the floor. Combustible material was also observed in the area just outside the server room which is used as a storage area. There was no automatic fire suppression system in the server room. Environmental factors to be controlled in the server room e.g. temperature levels, dust levels, humidity levels, other gases etc. are not monitored. Temperature level is monitored manually by physically going to the server room. There is no warning sign prohibiting drinking, eating and smoking in the data center”.
Though Ersnt & Young LLP did the recommendations to improve on the above, it is highly unlikely that the bank has implemented them.
This, we note from the date of the report, which is given as 31st December, 2019. The bank’s acquisition by Herbert Wigwe led Nigerian lender Access Bank, was completed at the end of January and we have noted no activity towards renovations etc.
Going by the above stated weaknesses, Transnational Bank was open for hacking.
Immaculate Kassait now sits at the Commissioner for the newly Office of the DataProtection Commission, having been nominated by President Uhuru Kenyatta in October 2020.
Glad that Kenya pulled this off, but such serious breaches like that happened with Access Bank should be treated with the seriousness it deserves.
Kenyan Business Feed is the top Kenyan Business Blog. We share news from Kenya and across the region. To contact us with any alert, please email us to [email protected]