Where Hackers and Telcos Clash

Introduction 

One fateful Saturday in November 2023, MTN subscribers who had borrowed airtime from the telecommunication company, suddenly saw their debts cleared as a result of a technical glitch experienced by the company. While some customers took to social media to celebrate the unlikely win, the telecoms (telecommunications) giant issued an official apology and assured customers of the total restoration of their balance upon resolution by their engineers. Such "glitches" are not uncommon with companies like Telcos (Telecommunication companies), Government institutions, FinTechs, and financial institutions in the global digital economy. While some glitches are malfunctions or results of an upgrade, others have been revealed to be related to system breaches and fraud. The cost of cybercrime has skyrocketed in recent years, with the Center for Strategic and International Studies (CSIS) estimating that global losses reach a staggering $600 billion annually, representing a significant increase from the numbers revealed by a 2014 study to be approximately $445 billion. In all this, Nigerians have lost about N12.5 billion to financial crimes linked to the telecoms industry in the past four years, and in this article, we investigate how secure telecommunication companies in Nigeria truly are.

Digitization In Nigeria

The digital revolution in Nigeria goes as far back as the late 1990s and early 2000s with the liberalization of the telecoms market, which led to increased mobile phone ownership and internet access. This wave transformed Nigeria by creating jobs, economic growth, improved access to goods and services and empowerment and this was widely accepted amongst the bustling population of over 200 million people in the country, the majority of whom are youths.

Source: Statista

Nigeria is considered a mobile-first market where infrastructure and online usage development quickly transitioned to mobile internet usage via inexpensive smartphones. The country ranks second on the list of African countries based on the share of traffic, with more than three-quarters of Nigerian web traffic being generated via smartphones. In 2022, Nigeria, the largest economy in Africa, had nearly 84 million internet users, and this is expected to grow to 117 million internet users by 2027. Internet penetration amounted to over 38 per cent of the population in 2022 and is set to reach 48 per cent by 2027. Simultaneously, e-commerce spending is also projected to reach a staggering $75 billion by 2025. The COVID-19 pandemic contributed to the rise of mobile technology in the 21st century, increasing e-commerce adoption, fintech growth, and the emergence of the gig economy, which are key trends shaping the digital landscape. The Nigerian government has taken a proactive approach by implementing the National Digital Economy Policy and Strategy (NDEPS). Additionally, they have supported in other ways, including the passage of the Nigerian Telecommunications Act, the launch of the National Information Technology Development Agency (NITDA), the GSM Association's Africa Com event, MTN Nigeria's 3G network launch, and the issuance of 3G and 4G spectrum licenses by the Nigerian Communications Commission (NCC). 

Cybercrime And the Digital Economy

As the world forges on into the digital age, corporations, governments and individuals across the world have increasingly continued to depend on technology for gathering, analyzing, and storing data. This reliance, which was further necessitated by the COVID-19 pandemic and remote work model, fueled a surge in cybercrimes, ranging from minor data breaches to large-scale attacks impacting millions of users. The year 2020 also witnessed a staggering 358% surge in malware attacks compared to 2019. Another significant impact of the pandemic was evidenced in the substantial increase in the number of victims per hour. Before the pandemic in 2019, the average number of cybercrime victims per hour was 53. However, in 2020, the first full year of the pandemic, this number skyrocketed to 90, representing a 69% increase. This surge in cyberattacks has also been accompanied by a rise in the average cost of data breaches per hour. In 2001, the average hourly cost of data breaches to individuals was $2,054. By 2021, this hourly loss rate had increased dramatically to $787,671, highlighting the growing severity of cybercrime and its financial consequences. 

This alarming trend continued throughout 2021, with cyber-attacks escalating by 125% globally. In the United States alone, the year 2022 witnessed a staggering 1,802 data compromise cases, a dramatic rise compared to the 447 cases reported a decade earlier. The Cam4 data breach in March 2020 remains the largest reported data leakage to date, exposing over 10 billion data records. The Yahoo data breach of 2013 ranks as the second-largest data breach in history, with the company initially reporting around 1 billion exposed data records, later revealed to be 3 billion. Another significant data leakage was in March 2018 when India's national ID database, Aadhaar, was breached, exposing over 1.1 billion records. This compromised information included sensitive biometric data such as identification numbers and fingerprint scans, which could be exploited for various purposes, including opening bank accounts and fraudulently receiving government aid. The relentless growth of cyber threats continues to pose a significant risk to businesses and individuals with no signs of abating, and cybercrime is projected to cost companies worldwide $10.5 trillion annually by 2025.

Is Telecommunication Safe?

The telecommunications sector encompasses a wide range of companies, including internet service providers (ISPs), radio, telephone, and satellite corporations. These organizations form the backbone of our interconnected world, enabling seamless communication across vast distances. Africa, with a cumulative GDP of $2.98 trillion in 2022 and expected to reach $4 trillion by 2027, owes parts of its growth to the increase in demand for internet and digital services. Africa's digital economy has been projected to be worth $180 billion in 2025 by the World Bank, and at the same time, the escalating frequency and sophistication of cyberattacks across the continent is growing faster than the regulations. This is posing a grave threat to the security of vital information infrastructure.

Telecommunication providers face a multitude of threats, including Internet of Things (IoT) devices, Distributed Denial-of-Service (DDoS) attacks, cloud attacks, insider threats, and third-party risks. IoT devices, with their lacklustre security and infrequent updates, create more opportunities for threat actors to exploit. DDoS attacks can disrupt services, cause shutdowns, and create financial losses. Cloud networks, while generally more secure than onsite servers, can also pose security risks if compromised. Insider threats, either intentional or unintentional, can cause significant harm to telecom providers. Third-party services, such as hosting services, email providers, and vendors, can also act as entry points for cyberattacks.

The telecommunication sector must give priority to cybersecurity, majorly because they have intertwined networks that contain sensitive personal information. For instance, one SIM card can be linked to one's National Identification Number (NIN), which contains details such as biometrics, as well as access to banking details. A breach in the system can expose sensitive information of many people, which can cause financial loss and reputational damage for the organization, customer and the country at large. IBM's Cost of a Data Breach report unveiled that in 2023, the average global cost of a data breach soared to a record-breaking $4.45 million. This alarming figure marks a 2.3% increase from the previous year and a substantial 15.3% jump from 2020. A multinational cybersecurity company also revealed that Nigeria has one of the highest levels of cyber threat in the continent, with backdoor and spyware attacks being cited as the most common threats in Nigeria, with 46,000 attack attempts.

Source: Statista

In 2022, manufacturing companies accounted for nearly 25% of all cyberattacks during the year, followed by the finance and insurance industry with approximately 19%. The professional, business, and consumer services sectors ranked third with a share of 14.6%, while the media and telecom ranked 10th with a share of 0.5%. In the same year, the average cost of a single data breach across all industries worldwide reached a staggering $4.35 million. The healthcare sector bore the brunt of these breaches, with each data leak costing an average of $10.1 million. The financial sector was not far behind, with each breach causing an average loss of $6 million, $1.5 million higher than the global average. 

Breaches In the Digital Economy 

Just a week after its launch in late May 2022, MTN Nigeria's financial services subsidiary, MoMo Payment Service Bank, experienced a data breach reportedly resulting in the loss of 22 billion naira ($53 million), and while banks rarely publicly acknowledge or admit to data breaches, evidence suggests they are a frequent occurrence. For example, between July and September 2020, Nigerian banks incurred N3.5 billion (~$9 million) in losses due to fraud, a staggering 534% increase compared to the same period in 2019 and these illicit activities are often perpetrated by insiders, former employees, or external hackers. 

Other predominant cases of breaches in the Nigerian digital economy can be traced to different social media hacking and social engineering scams, such as WhatsApp hacking. Scammers use various methods to hack WhatsApp accounts, including phishing, malware, social engineering, and call forwarding, which is not only peculiar to Nigeria. A security firm based in Israel, Check Point Software Technologies Ltd., recently uncovered several vulnerabilities in the WhatsApp messaging app, revealing ways hackers use to manipulate messages sent to groups by altering the identity and messages of the sender. Meta's expansion of WhatsApp beyond its intimate messaging roots to include "communities" and "channels" features has raised concerns about user privacy. By exposing phone numbers to a broader audience, these features increase the potential for unauthorized access and data breaches. While two-factor authentication (2FA) can protect users against certain types of attacks, it is not impenetrable, and more sophisticated hacking methods can bypass its safeguards. According to Adesola, a security expert, WhatsApp has experienced numerous vulnerabilities in recent years, and some of these flaws remain unaddressed.

Public Sentiments

Telco users have at some point thought about or toyed with the idea of their conversations being listened to but have had no reason to fear or suspect public exposure. The National Communication Commission is bound by the Nigerian Communications Act (NCA) 2003 and, therefore, "cannot track nor leak telephone conversations to anyone". However, when private phone conversations between 2023 Labour Party (LP) presidential candidate Peter Obi and Pastor Oyedepo of the Winner's Chapel during the election season went viral, all eyes were turned to the telcos and their regulators, who denied having any hand. The media aide of the candidate then came out to discredit the audio as edited and out of context.  

In 2020, Laws and Rights Awareness Initiative, an NGO, dragged the NCC to court, challenging the regulations that grant unrestricted access to subscribers' personal information, including call records. The NGO alleged that the provisions outlined in section 8 of the Nigerian Communications (Enforcement Process) Regulation 2019, which grant the NCC the authority to transfer call records, including subscriber location, timestamps, and phone numbers associated with regular phone calls and SMS messages to relevant authorities without prior court approval, infringe upon individual privacy rights. 

In a more recent experience in July 2023, one of the major mobile network operators was allegedly hacked, with the hackers holding on to valuable data of the telco for over a week, thus inhibiting the telco from running the business and delivering essential services. Although the telco did not speak to this, reports online claimed the hackers held them to a $2.5 million ransom payment before releasing the parts of the network under their control.

Telcos hold a major stake in our interconnectedness with the global economy, and without the internet in this modern age, a lot of things will come to a halt. A customer of this telco company, will have been faced with inconveniences they did not have answers to, for the period they experienced this network downtime.

In a recent development, cybersecurity firms HackManac and FalconFeeds revealed that Fawry, a fintech company in Egypt, had been added to the list of targets by the ransomware group, Lockbit. Evidence provided by both firms included screenshots showing that Lockbit had set a deadline of November 28, 2023, for Fawry to comply with their ransom demands or face the public release of their data on the dark web.

Image source: HackManac

Operating since 2019, Lockbit has earned a reputation as the world's most prolific ransomware group. Between June 2022 and July 2023, the group was responsible for a staggering 28% of all ransomware attacks, leaving a trail of approximately 1,046 victims. The data breach experience of Fawry, led to a crash after threats were made public, with the company claiming that the crash was because customers rushed to withdraw their funds and closed their accounts. Following the security scare, Fawry's shares experienced a 4.6% decline, with the FinTech company promptly restoring its payments app and smart wallets and pledging to investigate the reported threats thoroughly. 

Data breaches from human error and malicious criminal activity will continue to be a threat to communication technology companies, and these dreaded events can inflict severe damage on victims, leading to financial losses, reputational damage, and regulatory fines. In fact, for small businesses, the consequences are particularly dire, with 60% of those experiencing a breach ceasing operations within six months. The rapid advancement of technology, particularly with the deployment of 5G networks in Nigeria, has heightened the urgency of addressing privacy, data integrity, and online trust within telecom infrastructure.

What Can Telcos Do Better?

Telcos are in a hypothetical love triangle with glitches and breaches that will always have the Telcos on the losing end. This is why it is important to approach the phenomena from a proactive as opposed to reactive point of view. Because cyberattacks are so dynamic, it is important to keep conducting regular risk assessments and implementing multi-factor authentication. It is equally important to educate employees and customers by holding regular training courses on best practices and common threats. Telcos face significant cybersecurity risks due to the sensitive data they store and transmit, and to protect themselves, they must maintain a holistic cyber resilience structure. 

What Can the Government Do Better?

The Nigerian government can contribute to the digital economy and curtail cybercrime by enforcing cybersecurity regulations such as the Data Protection Act, which provides a legal framework for the protection of personal information and establishes the Nigerian Data Protection Commission for the regulation of the processing of personal information. As a result, the Nigeria Data Protection Commission (NDPC) mandated data-reliant bodies to apply with the Commission for data protection compliance monitoring before December 2023. Sanctions and stringent measures have a history of eliciting known compliance; therefore, plans are being made to charge commercial banks and telecom companies 2% of their annual revenues for data breaches. The Government can also do better by setting up secure and trusted information-sharing platforms, funding cybersecurity research, employing and continuously educating the cybersecurity workforce, raising public awareness, promoting collaboration with international cybersecurity cooperations, establishing cybercrime investigation units, and enhancing cyber defense. 

What Can Customers Do Better?

Unsuspecting customers are often on the receiving end of the brute of cybercriminals; however, consumers and businesses are becoming increasingly aware of the threats in cyberspace. To stay ahead of cybercrime, customers should practice good security hygiene, use strong passwords and two-factor authentication, share sensitive information cautiously, keep software updated, be wary of phishing scams, avoid clicking on suspicious links, back up data regularly, and report cybercrimes to authorities. Customers also need to be careful about using public Wi-Fi and shred documents that contain sensitive information before throwing them away. 

Conclusion

Glitches and breaches, as well as human and system errors, happen in many areas that influence our daily lives, such as telecommunication networks, mobile communications, online banking, and e-commerce. In this digital age, Telcos are exposed to a myriad of cybersecurity risks, such as data breaches, denial-of-service (DoS) attacks, malware, and social engineering attacks. To mitigate these risks, telecom companies must implement strong security controls, educate employees and customers about cybersecurity, and have a comprehensive incident response plan. Africa's lack of a digital security infrastructure, with 90% of businesses operating without a cybersecurity protocol in place, makes them targets of cyber threats, such as hacking, phishing, and malware attacks and as long as the digital economy continues to grow and penetrate different sectors of our lives, so will the activities of fraudsters unless adaptive measures are taken. This is why businesses and individuals in the digital economy need to build a protective shield against cyber threats that are constantly upgraded.