What's happening with NIN?
Welcome to July newsletter! Learn about the latest breaches, CISA's password rule, and the Virtual Innovation registration extension.
NIN is for sale for ₦100
On June 20, 2024, Paradigm Initiative (PIN) revealed that unauthorised websites have illicit access and illegally distribute sensitive personal data of Nigerians for as little as ₦100 ($0.66).
The digital rights company explained that AnyVerify.com.ng illegally distributes the following personal data:
Bank Verification Number (BVN)
National Identification Number (NIN)
Virtual NIN
Permanent Voters Card (PVC)
Driver’s licence,
International passport
Tax Identification Number (TIN)
Company details
Phone numbers
PIN’s breach alarm came three months after the Foundation for Investigative Journalism (FIJ) disclosed that XpressVerify, a private website, has unrestricted access to every registered Nigerian NIN and personal details.
The National Identity Management Commission (NIMC), the agency safeguarding NIN, debunked the PIN data exposure story, reiterating that the NIMC database is secure. To counter NIMC's secure database stance, PIN purchased the NIN of Bosun Tijani, the Minister of Communications, Innovation, and Digital Economy.
The company said it served a pre-action notice to the government agencies responsible for safeguarding the personal data of Nigerians.
CISA recommends a 16-character password for businesses
The Cybersecurity and Infrastructure Security Agency (CISA) has recommended that passwords contain at least 16 characters.
CISA believes long, unique passwords filled with random characters (mixed-case letters, numbers, and symbols) will help businesses prevent password hacks, a common weakness malicious actors exploit to gain unwanted entry into systems.
CISA’s recommendation comes after a Forbes Advisor survey in the US discovered that weak passwords are the leading reason for credential compromise in 2024. The new rule is the latest move towards a secure password hygiene habit following the UK’s ban on weak passwords in May.
CISA also suggested the following password hygiene for SMBs:
Using an enterprise-level password manager for employees
Change every default credential on every software and hardware product. This is similar to the rule passed in the UK, which banned the use of weak or easily guessable passwords in internet-facing devices.
The New York Times GitHub was compromised
In June this year, the New York Times notified contributors of personal data theft.
But how did it happen?
The data was stolen from the newspaper’s GitHub repository, which was breached in January 2024. The Times believes the attackers used exposed credentials to hack its GitHub repos.
The compromised information in the repo were names (first and last), email addresses, mailing addresses, nationality, bio, website URL, social media usernames, and knowledge about diving and drone certifications
While the US-based newspaper maintained the hack didn't affect their internal corporate systems or operations, BleepingComputer revealed that an anonymous user shared a 270GB torrent file containing The Times’ source code on June 13, 2024.
Cybercriminals launch DDoS attack during Poland Euro 2024 match
Suspected Russian cybercriminals launched a distributed denial of service (DDoS) attack on the Polish media house, TVP. The disruption happened during Poland’s opening match against the Netherlands in the ongoing Euro 2024 finals.
Bartłomiej Wypartowicz (an editor at cybersecurity news outlet Defence 24) suggested the incident wasn't malicious, as 20+ million people (more than half of Poland’s population) tried to access the match stream.
But Pawel Olszewski (Poland's deputy minister of digital affairs) argued that Russia instigated the attack to “prevent Polish citizens from watching the match online.”
CyBlack extends registration for Virtual Innovation registration
I discussed the 2024 CyBlack Virtual Innovation Showcase as an avenue to present cybersecurity research projects and startup ideas in May. The deadline for registration (originally June 24, 2024) has been moved to July 24, 2024, giving you more preparation time.
The showcase is open to members and non-members of CyBlack. Cash prizes, grants, networking, and mentorship are the proposed rewards for shortlisted participants.
Register for the second edition of the showcase here 👇🏾
The 2024 CyBlack Conference, a physical event for cybersecurity networking and strategic growth, will be held on August 22, 2024, in DiSH Manchester, UK. The theme for this year is “Inclusion as a Driver for Growth,” highlighting the vital role of inclusion and diversity in cybersecurity innovation and growth. The event is NOT free, but it’s open to everyone.
Book your spot here 👇🏾
Lastly, I’m pleased that cyber-centric media outfit Security Magazine enlisted me as part of their Women in Security 2024. I spoke about the importance of awareness and passion as drivers for cybersecurity career growth.
Click the button below to read the full interview with Security 👇🏾
That’s a wrap for July! Continue to stay cyber-vigilant. See you in August!