IPPIS Paycheck Validation, FG Workers’ Personal Data on OAGF Website Hijacked – Report

 

The “IPPIS Payroll Validation” section on the official website of the Office of the Accountant General of the Federation (OAGF) headed by Oluwatoyin Sakirat Madein has been hijacked by an unknown hacker.

Similarly, according to a report by the Foundation for Investigative Journalism (FIJ), workers’ personal data stored on the official website of the IPPIS Secretariat, a department of the OAGF, is vulnerable to attacks.

On Friday, FIJ reported that the Secure Site Layer (SSL) functionality of the website belonging to the IPPIS Secretariat had expired and had not been renewed for over a year.

The functions of the Secretariat and the OAGF are intertwined. While the Secretariat is responsible for the secure management of the Integrated Personnel and Payroll Information System (IPPIS), the payroll of federal government employees, the OAGF’s area of ​​responsibility includes oversight of the accounts of federal ministries, departments and agencies (MDAs).

Not renewing your SSL is a recipe for website directory data breach.

Following the FIJ report, a source who preferred to remain anonymous informed FIJ of an even more worrying discovery on the website: workers’ data had been made public.

Thanks to this tip and further findings, the FIJ can now report that a huge amount of personal data of public employees remained vulnerable on the website.

Information about workers such as last names, middle names, first names, phone numbers, email addresses and dates of birth have been made public.

Other critical information left unprotected on the website were maiden names, dates of employment [dates of employment]salary structure, grade level and individual worker levels. FIJ is unable to publish these data in this report as this would be a violation of the law.

FIJ also noted that a web section called “IPPIS Payroll Validation” on the OAGF’s main website had been hijacked. Clicking on that payroll validation section opened a new web page that displayed an unreachable web address.

Further checking of that web address (https://ippisportal.helixfons.com/) raises more troubling questions. The web address was registered at Kalkofnsvegur 2, Reykjavik, the capital of Iceland.

SOCIAL MEDIA HAS DIRECTED

FIJ also discovered that the secretariat’s social media profiles had been hijacked by a cybercriminal.

The secretariat’s social profiles are circled in red.
Like many organizations, the secretariat has a few social media profiles, including X and Facebook, and has linked them to the website.

Clicking on the X and Facebook links takes you to different pages, indicating that a cybercriminal has hijacked them.

For example, the Facebook link led to a page called “DevItems,” a web design company that last posted on February 9, 2020, and is supposedly based in Atlanta, USA.

Page X leads to a suspended handle (@devitemsllc), a handle that obviously belonged to the same web design company.

Obviously, the health of these websites had been compromised. From FIJ’s observation, there is a strong indication that the information stored there could have been exploited by cybercriminals.

IMPLICATION A POSTERIORI CONSIDERATIONS

According to the Nigeria Data Protection Act, personal data means any information relating to a natural person who can be identified or identifiable, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, psychological, cultural, social or economic identity of that natural person.

To understand the sensitivity of information such as full name, date of birth, phone number and email address, people are used to using them for banking and other financial transactions.

In the case of government employees, the information could be linked to their payroll accounts and other digital accounts. With their sensitive information left unprotected by the government, they are exposed to privacy violations.

If this information is not protected, according to the source who provided the tip, an attacker could do many things with it, such as phishing. These credentials are also attached to their financial data because whatever information they provide must match their various financial institutions. In short, it would not bode well if an attacker had access to these credentials.

The FIJ’s findings may explain why some workers have reported unexplained deductions from their wages without receiving any satisfactory response from the secretariat or even from the OAGF.

In a February 8 report, Idris Abdulkabir, a Kaduna State civil servant, told FIJ that unsolicited deductions from his salary for loans could lead to his death.

“If I die from overthinking, please hold IPPIS accountable for indiscriminately taking my money and sending it to a loan agency I know nothing about,” Abdulkabir said.

The report also highlighted the experiences of other workers affiliated with federal medical facilities, including the University College Hospital in Ibadan, the National Orthopaedic Hospital in Kano and the Ahmadu Bello Teaching Hospital in Zaria.

In October, some workers complained that portions of their wages had been deducted to cover loans they had not received.

“I have not received a loan from any of these loan accounts. It is very obvious that this loan account committed this fraud in collaboration with some IPPIS staff in Abuja. I took a loan which has been cleared since April 2023. I do not owe anything to anyone,” an Ondo State government employee told FIJ in October.

Last November, FIJ also reported how N129,650 was deducted from a worker residing in Lagos State. “I cannot fathom the actions of IPPIS with my funds in these difficult times. After deducting the money from my account, IPPIS failed to pay Credit Direct what I owed. I am exhausted,” he told FIJ.

In all these reports, the Secretariat never responded to FIJ’s requests for comment.

POOR DATA MANAGEMENT BY PUBLIC INSTITUTIONS

Despite the existence of laws and regulations that require proper maintenance of websites and protection of citizens’ data, the failure of government institutions to effectively fulfill this responsibility is public knowledge.

The National Information Technology Development Agency (NITDA) and the Presidential Enabling Business Environment Council (PEBEC) mandate by law that government institutions maintain a quality, secure website for information storage and to enable citizens to demand quality service.

Section 7.2 of the NITDA guidelines, which applies to government websites, reads in part: “Government institutions shall: i. ii. iii. Engage in an ongoing process of maintaining the security of web servers to ensure ongoing security. Use authentication and cryptographic technologies as appropriate to protect certain types of sensitive data with varying access privileges. It is recommended that SSL be used for any cryptographic implementation.”

Surprisingly, from the police to the presidency, a pattern of mismanagement of website channels has been created.

In April, the official website of State House was restored to normal only after FIJ reported that its SSL had expired for two weeks without renewal. A similar story was written on the official website of the Nigeria Police Force (NPF) in the same month.

In terms of data breaches, FIJ reported that citizens’ national identification data had been illegally collected and marketed by XpressVerify, a shady private website.

The ensuing media backlash forced the National Identity Management Commission (NIMC), Nigeria’s identity management agency, to disclaim responsibility for the breach and promise to investigate the incident. This came after the website’s host took the site’s domain name offline.

The OAGF did not have a telephone number on its website, and the inquiry form in the “Contact Us” section of the site did not respond when FIJ tried to send some questions through it.

At the time of going to press, the list of questions submitted via an email address on the website had not yet been considered.

For the IPPIS Secretariat, the customer service number +2349087005735 indicated on the website was unreachable, while the support email address was invalid. [FIJ]

After IPPIS pay slips were validated, FG workers’ personal data on the OAGF website was hijacked. The report first appeared on TheConclaveNg.