Extortion Gang Adds Africa's Supermarket Giant to its List of Victims

The RansomHouse cyber extortion group has added yet another victim to its growing list of victims less than a month after launching its operations on the darkweb. Its victim this time is Shoprite, Africa's largest supermarket chain. The company, which is the biggest private sector employer in South Africa, has over 149,000 employees running its 2,943 stores across Africa.

Earlier this week, cyber security firm, BetterCyber, obtained information about how the RansomHouse gang compromised Shoprite's internal systems and helped itself to about 600GB of personal and company confidential data on its way out of the network.

The gang wrote: "Meet Shoprite! The company that runs your favorite stores if you live in Africa. Truth is, it's been quite some time since we encountered something THAT outrageous" their staff was keeping enormous amounts of personal data in plain text/raw photos packed in archived files, completely unprotected. Feel free to have a look at the data sample at (sic) our website. We've contacted Shoprite management and invited them to negotiate, but the only thing they did is change their passwords like it solves everything. If their position doesn't change, most of this data will be sold with something disclosed to the public. Apart from KYC data, we also got lots of other interesting stuff from the company. Yes, they like to keep a lot of things unprotected."

Four days after the data breach incident, The Shoprite Group made some attempts to limit the damage by publishing the article in the image below on its corporate website, warning data subjects that "there is a possibility that their data may be used by unauthorized party" while advising them to "follow common precautionary measures such as changing their passwords regularly and not disclosing personal information carelessly."

Well, that's a day late and a dollar short as that information, and more, is already is in the wrong hands. Unfortunately, data protection laws in Africa are nowhere near as strong as they are in first world countries. Where the average victim of data breach of this magnitude in the US would have been getting one year of free credit monitoring service for instance, Shoprite is only going to be sending SMS to the cell phone numbers supplied by the victims of this breach. Not good enough, but it's better than nothing.

Up until very recently, Africa had never been an attractive hunting ground for cyber criminals. That, however, is rapidly changing given that this is another one of a few high profile data breach incident on the continent in the last couple of months. Back in April, the Russian Black Cat group launched a devastating attack on Bet9ja - an online bookmaker company, based out of Nigeria, that offers betting on major sporting events.

Last month, the country's Data Protection Bureau commenced investigations into reports of breach of data privacy where some customers of Wema Bank PLC complained of breach of their rights to data privacy and protection by the bank.?This data processing, according to the complaints against the bank, involves using their personal data - possibly derived from the Bet9ja breach (?) - to open accounts. It will be interesting to see where that investigation leads or ends.

As we speak, the Lockbit ransomware group has given Mali's Directorate General of Taxes (or Internal Revenue Service) until June 22 to pay up otherwise its sensitive files will be published.

These are just some of the other recent high profile data breaches on the African continent.

Back to Shoprite. Unlike other Ransomware gangs, The RansomHouse group specializes in extortion. Rather than encrypt an organization's systems and data, it simply breaches its systems, harvests its critical, mostly regulated and company confidential, data then names its price. If the organization refuses to play ball, it heads to the darkweb to sell to the highest bidder. Fortunately or unfortunately, there is usually no shortage of takers on the darkweb - Fullz, (which is cyber fraudsters' slang for information package made up of firstname, lastname, date of birth, social security number, email address, and so forth) is a valuable item in the hands of the cyber fraudster.

Needless to say, if Shoprite refuses to pay, this criminal gang will still find a way to monetize its heist. On the other hand, if Shoprite pays, there can be no guarantee that the criminals will fulfil their part of the deal. They are criminals for a reason.

These recent incidents should remind businesses in Africa of the need to pay close attention to cyber defense as much as it should remind its politicians and policy makers of the need to be more intentional about the enactment and enforcement of data protection laws.

Daigle, Brian in “Data Protection Laws in Africa: A Pan-African Survey and Noted Trends.” Journal of International Commerce and Economics, February 2021, ?opined that African nations’ rules governing the protection of personal data are a patchwork, with some countries offering little to no protection policy while others have extensive digital governance frameworks. Even the ones with the so called extensive digital frameworks struggle to hold data processors and/or controllers accountable in the event of a major breach.

The "Data is the new oil" cliché comes to mind every time a major breach like this happens. Clearly, weak data protection laws and nonchalant attitude to cyber defense are two of a few things that can stagnate Africa's development.