With the rise of the digital age, several universities now place emphasis on their online platforms.
Though practices might differ between public and private universities, school fees payment, course registration, and application for hostel accommodation are conducted online (to some extent).
For most private institutions, online activity steps up to include learning, project supervision, seminars, and presentations.
Nonetheless, this means the information on students, lecturers, and administrative staff of private and public universities is now stored online.
However, Techpoint can confirm that the websites and databases of two Nigerian universities — Ahmadu Bello University (ABU), Zaria and the University of Benin (UNIBEN), Benin City — and Mount Kenya University, Thika, Kenya are porous, vulnerable and in urgent need of attention.
Also, these data which include admission lists, course registration details, and personal data of students and staff are being shared in some exclusive hacker forums, leaving students, lecturers, and administrators, at the complete mercy of unknown cybercriminals.
How did this happen?
Three years ago, a Pakistani Penetration Tester, Touseef Gul discovered some bugs (weaknesses or vulnerabilities that hackers can exploit) in three Nigerian universities — Nnamdi Azikiwe University, (UNIZIK); Ahmadu Bello University, Zaria, and Salem University — and Mount Kenya University, a private university in Thika, Kenya.
Bug hunters and Penetration Testers are cybersecurity professionals that test for loopholes that hackers can exploit in websites or apps of reputable organisations, and report them with insights on how to fix them, and prevent any intrusion or abuse before it becomes public knowledge.
According to Touseef, all he did was a surface search on the main domain of these websites (URL), and he could find bugs, without having to go deep into their systems.
“With ABU, Zaria, for example, all I needed to do was type in portal.abu.edu.ng on my browser along with a few other characters, and I discovered the bugs,” he explains.
Touseef reported his findings to these universities in 2017, and the developers from UNIZIK responded by saying that they couldn’t resolve the issue because of a crisis in that region: this was during unrest in South-eastern Nigeria.
Encouragingly, developers from Salem University contacted Touseef and asked for advice on how to fix the detected bugs.
However, ABU, Zaria and Mount Kenya University did not respond to the initial queries, nor to the follow-ups a few months later.
“For universities in Nigeria, I tried to approach them via the media, but I was surprised when even journalists didn’t respond. A few of them asked for details (proof) and I gave them but I never heard back,” says a surprised Touseef.
How about now?
Hoping to find good news, upon getting this report a few days ago, we asked Touseef to run another check on these websites and found that UNIZIK had fixed the bug he found three years ago, while Salem, which had a custom-built website, had moved to a relatively secure WordPress site.
However, the checks reveal that ABU and Mount Kenya are still vulnerable. Also, after a test on the domains of the University of Lagos (UNILAG), University of Ibadan (UI), and the University of Benin (UNIBEN), Touseef discovered malware in UNIBEN’s.
Touseef uncovered ABU’s database with the records of about 256,370 students. Considering that it is unlikely to have that number of students currently, this suggests that it is possible to obtain the records of both past and current students of the university.
ABU Zaria stored the login details — usernames and passwords — of these students in plain text and they were easily uncovered by Touseef. Other data points such as admission lists, graduands, and other administrative files.
The records of Mount Kenya University 211,373 students both past and present, from admission lists to student and administrative information, were also uncovered. As Touseef reveals, some hackers have shared data from Mount Kenya on various forums, including names, addresses, and phone numbers, and there’s no telling what other platforms have received the details of the breach.
Google has picked up malware in UNIBEN’s domain and on an attempt to reach the website, you might meet a warning such as this.
They don’t seem to care
“One security researcher once told me that many countries in Africa don’t care about cybersecurity, or what happens to their data online,” says Touseef.
Judging from the responses so far, you could say the same of Nigerian universities, but the problem appears to run deeper. Even students of these universities do not seem surprised.
“How can they care about cybersecurity when they don’t even care about online activities in the first place?” asks Efe*, a recent graduate of UNIBEN.
“In school, my lecturers told us not to care about whatever results the school posts online. We only paid attention to what was on our department’s notice board. During this time, what was online and what the department recorded physically could be different,” he explains.
For Amina*, also a recent graduate of Ahmadu Bello University, the school, like most public offices, places more emphasis on physical records than anything digital. She explains that before the introduction of Remita, school fees were mostly paid in banks.
“We only register courses online and apply for hostel accommodation. Most times, we have to complete it offline. It is even more important to secure the hostel and register your courses offline than online,” says Amina.
What the law says
According to the NDPR by Nigeria’s National Information Technology Development Agency (NITDA), important questions that an organisation must answer is what security measures are taken to prevent a data breach in an organisation?
There have also been unconfirmed reports of students exploiting vulnerabilities in these websites and manipulating website content to get results to computer-based exams which they never sat for, register courses without having to pay for them, and even get onto a school’s admission list.
Two weeks ago, NITDA ordered all public offices to go digital in 60 days, despite the obvious challenges in execution, if accomplished, public offices cannot remain carefree about cybersecurity.
Asteriks (*): Not real names