Nigeria: Recommended Best Practices For Addressing The Susceptibility Of Social Media Accounts To Data Theft In Nigeria

 

By Idorenyin Ekpenyong

S.P.A. Ajibade & Co.
                                   

In today's world, social media has become an integral part of our daily lives, but it is also a source of concern when it comes to data theft. With the increased global use of social media, there are more opportunities to steal identities or perpetrate fraud online. For example, status updates posted on Twitter, Facebook and many other social media sites can be used by criminals. Social media facilitates the sharing of ideas and information through virtual networks and cybercriminals often target social media platforms to gain access to user's personal information and data, which can then be manipulated for various fraudulent activities. Nigeria as a case study is not immune to this issue, and the Nigerian government has taken several steps to combat data theft on social media.

In Nigeria, an important law that addresses social media accounts and data theft is the Nigeria Data Protection Act. This law provides guidelines for the collection, use, and storage of personal data in Nigeria, and requires organizations to obtain the consent of users before collecting or using their data. The Cybercrimes (Prohibition, Prevention) Act is the primary law that governs cybercrime in Nigeria. It constitutes the major legal Framework for the prohibition, prevention, detection, response and prosecution of offences deemed to be cybercrimes. The Cybercrimes Act's explanatory memorandum specifically states that the Act provides a wholesome framework for the curbing of cybercrimes in Nigeria as well as the protection of critical national information infrastructure, and the promotion of cybersecurity, intellectual property and privacy rights. The Nigerian government in response to cyber threats in the country has also established the Nigeria Computer Emergency Response Team (CERT). The aim of CERT is the coordination of responses to cyber incidents as well as providing training to law enforcement agencies and other stakeholders, and raising awareness about cyber threats and data theft.

Under the Act, data theft is a criminal offense and anyone who intentionally obtains unauthorized access to a computer system or network, with the intent to commit an offense, is guilty of an offense. The offense is punishable by a fine of N7,000,000 (Seven Million Naira) and/or imprisonment for up to 5 years. In addition to the Cybercrimes Act, the Nigerian Communications Commission (NCC) has also launched a campaign with the aim of taking steps to combat data theft on social media and social media accounts. The NCC is the regulatory body responsible for the telecommunications industry in Nigeria, and it has consistently issued multiple guidelines which are aimed at protecting the end users from cybercrime. An example of this can be seen in the NCC issued guidelines⁵ on data protection and privacy, which require telecommunications companies to protect their customer's personal information against any form of data theft.

It has also established CSIRT (Computer Security Incidence Response Team) for the telecommunication industry. The CSIRT is an organization or team that provides, to a well-defined constituency, services, and support for preventing and responding to computer security incidents. It helps organizations and individuals contain and recover from computer breaches, security, and threats. The team can be formalized or set up ad-hoc. A formalized team performs incident response work as its major job function while an ad-hoc team is called to respond to an incident when the need arises.

Social Media is a platform used by fraudsters to manipulate unsuspecting users. For most people, social media is a platform to connect and communicate with friends, but for cyber criminals, it is a goldmine of personal information and potential scams. Threat actors routinely use social media to commit fraud, impersonate trusted brands and executives, and target users from across the globe. These attacks are common because they rely on human error. That is, a victim making the mistake of clicking on a malicious link in their private messages or a post or ignorantly handing over information to a scammer to commit identity theft.

Social media accounts are particularly susceptible to data theft in Nigeria, as they contain a wealth of personal information that can be harvested and used to gain access to other accounts or to commit other forms of cybercrime. Social media accounts may also be specifically targeted by hackers who are trying to gain access to sensitive information or to spread malware or other harmful software with limited government oversight, industry standards or incentives to educate users on security, privacy and identity theft and fraud. Additionally, these platforms routinely hold/store confidential user information vulnerable to outside or inside attack. Data theft as we know involves the unauthorized access, copying, or use of personal or sensitive information, including login credentials, financial information, and other personal data.⁷

SOME COMMON CAUSES OF DATA THEFT

Data theft or digital theft occurs through a variety of means. Some of which are:

1. Falling for Phishing Attack
   
   phishing occurs when an attacker masquerades as a trusted entity to dupe a victim into opening an email, text message, or instant message. Users falling for phishing attacks is a common cause of data theft.
   
   
2. Using Easily Guessed Passwords
   
   Using easily guessed or same password for multiple accounts, can allow attackers to gain access to data. Poor password habits such as, writing passwords on a piece of paper or sharing them with others can also lead to data theft.
   
   
3. Insider Threats
   
   Employees in organizations have access to customer's personal information. Disgruntled contractors could copy, alter or steal data. This pattern is not only restricted to current employees, erstwhile employees, contractors, or partners who have access to an organization's systems or sensitive information.
   
   
4. Human Mistakes
   
   Data breaches may not always be the result of malicious actions. Common errors include sending sensitive information to the wrong person such as sending an email by mistake to the incorrect address, attaching the wrong document, or handing a physical file to someone who should not have access to the information. Alternatively human error could involve misconfiguration, such as an employee leaving a database containing sensitive information online without any password restrictions.
   
   
5. Database or Server Attack
   
   An attacker can access customer's personal information if a company storing the information is attacked because of database or server problem.
   
   
6. Compromised Downloads
   
   Downloading programs or data infected by viruses like worms or malware can give criminals unauthorized access to their devices, allowing them to steal data.

BEST PRACTICES

By implementing the following best practices outlined below, one could enjoy the benefits of social media without becoming a target for criminals.

1. Participate in security awareness training and engage with the learning materials and phishing simulations to help identify manipulations techniques that cybercriminals use.
   
   
2. Be cautious when giving out social security numbers, driver's license numbers or other identification numbers.
   
   
3. Consider unique usernames and passwords and change them regularly. Most social media platforms rely on permanent passwords over One-time password (OTP) Therefore, choosing the right combination of letters, numbers, and special characters is essential for setting a unique password.
   
   
4. Minimize the use of personal information on profiles that may be used for password verification or phishing attacks.
   
   
5. Only invite people to your network that you know or have met, as opposed to friends and strangers.
   
   
6. Restricting who can see your posts on social media reduces the likelihood of a cybercriminal conducting questionable reconnaissance.
   
   
7. If you encounter a link from a source that isn't reliable, instead of clicking on it, contact the sender directly to confirm if the message is legitimate.
   
   
8. The Nigeria Police Force cybercrime units responsible for looking after the cases and discrepancies regarding social media and the web. If the identity theft is serious, you must report it to the cybercrime unit at the nearest police station. They will ask specific questions about the issue and verify the problem by investigating your account to catch the scammer.
   
   
9. Internet security software can protect your identity and IP address when surfing the web or using social media platforms. You might sometimes click on certain links that end up downloading malware to your device, which can steal your personal information. However, you can solve this issue with internet security.

Despite these measures, social media accounts remain vulnerable to data theft in Nigeria, and users must take steps to protect their data from theft on social media accounts as regulations are still at the nascent stage. Every social media platform provides options to implement certain basic privacy and security settings. It is essential to check these settings and customise them effectively. Make sure to conceal most of your personal details, such as birthday, current location, workplace, etc. Moreover, try to keep your account private from outsiders who do not belong to your friends list. Most social media platforms also allow users to restrict their profiles from strangers. Make sure that your profile is not visible to anyone outside your common friends and relatives. You can also restrict some people from visiting your profile and viewing your posts. This will help to prevent unwanted scammers from checking and monitoring your activities on social media.

Footnotes

1. Idorenyin Ekpenyong, NYSC Associate Intellectual Property Department, SPA Ajibade & Co, Lagos, Nigeria.

2. Section 24 and 26 of Nigeria Data Protection Act, 2023.

3. The ngCERT is the Nigerian version of the national computer emergency response team domiciled within the office of the National Security Adviser.

4. Section 22(1)(2)(3) of CyberCrimes (Prohibition & Prevention, Etc) Act, 2015.

5. Guidelines for the Provision of Internet Service Published by the Nigerian Communication Commission 2003 Part II: Paragraph 5.

6. See, https://www.fortinet.com/resources/cyberglossary/internet-fraud,(accessed on 30^th June 2023).

7. See, https://www.eonetwork.org/octane-magazine/special-features/social-media-networks-facilitate-identity-theft-fraud, (accessed on 30^th June 2023).

8. See, https://www.eonetwork.org/octane-magazine/special-features/social-media-networks-facilitate-identity-theft-fraud ,(accessed on 30^th June 2023).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.