Apart from personal and financial records, the data also included plain-text login credentials including usernames and passwords of customers and businesses using the Easy Portal of the Uganda Security Exchange.
The Uganda Securities Exchange (USE) aka principal stock exchange in Uganda has been caught leaking highly sensitive financial and sensitive data of its customers and business entities across the globe.
This was revealed to Hackread.com by Anurag Sen, a prominent IT security researcher who has been known for identifying exposed servers and alerting relevant authorities before it’s too late. Anurag is the same researcher who discovered Australian trading giant ACY Securities to be exposing 60GB worth of data earlier this month.
It all started with Anurag scanning for misconfigured databases on Shodan and noted a server exposing more than 32GB worth of data to public access. According to Anurag, the server belonged to the Uganda Security Exchange’s Easy Portal. For your information, Easy Portal is an online self-service portal that lets users and trading entities view stock performance, view statements, and monitor their account balance.
“There are other ports running on the server which opened the link to the bank of Baroda – which is Indian based company operating in Uganda. Also, it is registered under the Uganda security exchange.”
Anurag told Hackread.com
What Data was Leaked
Upon further digging into the humongous dataset Anurag concluded that the exposed records were of sensitive nature. The worse part of the data leak is the fact that the server was left exposed without any security authentication.
This means anyone with a slight bit of knowledge about finding unsecured databases on Shodan and other such platforms would have complete access to USE’s data including the following:
- Full Name
- Full Address
- Date of Birth
- Access tokens
- Phone Number
- Email Address
- Plaintext passwords
- ID number of Users
- Bank details including ID, and account number
- Details on Foreign citizens and companies including citizens based in Uganda
The screenshot below shows the type of data exposed by the USE:
No Response from Uganda CERT or USE
Although exposing sensitive data of unsuspecting users and businesses to cybercriminals is itself a blunder, not responding to researchers and not caring about the mess up is simply irresponsible.
Anurag and Hackread.com contacted Uganda Securities Exchange, Uganda CERT (Computer emergency response team), and several other government institutions via Twitter, phone, and email however none of the authorities ever responded.
Amid this, the server remained exposed for days.
On June 12th, 2022, the 32GB worth of data was reduced to MBs. It could be that authorities wanted to keep the incident under wraps to avoid criticism from local media and entities affected by the breach. Nevertheless, at the time of publishing this article, the exposed server was secured and its IP addresses were no longer accessible to the public.
Impact on the company and clients
It is yet unclear whether a third party accessed the database with malicious intent such as ransomware gangs or threat actors. But in case it did, it would be devastating for the USE, its customers, and its clients including local and foreign businesses.
Furthermore, considering the extent and nature of exposed data, the incident could have far-reaching implications. Such as bad actors could download the data, sign in to Easy Portal, and carry out identity theft, phishing, or trading scams.
If you use Easy Portal, it is time to contact Uganda Securities Exchange and inquire about the incident.
More Misconfigured Servers News
- Misconfigured baby monitors exposing video stream online
- Anonymous hacked 90% of Russian misconfigured databases
- Misconfigured AWS bucket exposed 421GB of Artwork Archive data
- 350 million email addresses exposed on misconfigured AWS S3 bucket
- Exposed ElasticSearch Servers Exposed 579GB of Users’ Website Activity