Source: SheSecureshttps://shesecures.org/arik-air-hack/

Yes, Arik Air was hacked. On Tuesday, the 30th of October 2018, twitter went crazy. What happened: a cyber security expert Justin Payne made a public disclosure that shook a lot of African organizations. No, not just african organizations but industry experts.

It has left a lot of discussions on the minds of people. Some blaming Arik Air for not responding swiftly. Others of the opinion that it was of no risk.

In Africa there’s been quite a number of breaches over recent years. From the breach in South Africa and now a data leak in Nigeria. African Cyber security professionals and experts from various cities can’t stop emphasizing how much African companies ought to start taking vulnerability disclosures seriously and act on them as fast as possible.

But, really. Where does this leave organizations. African or global organizations. What can they learn from this leak? But first, how did Arik get its data leaked.

How did Arik Air Get Hacked?

On the 6th of september, Justin Payne began his scan for vulnerable amazon s3 buckets. Paine, who is the head of trust and safety at Cloudflare, said his attempt to alert the company to the exposed data was not acknowledged until September 24. So on the 30th, Justine went on to disclose his findings on twitter


3 things Organizations Can learn from Arik Air Hack & Data Leak

1. Embrace Responsible Disclosure Culture: Organizations in Africa need to know this; so long as your organization or business is online. You will remain a target to hackers. Your product, your employees, and everything about you is like a hot menu waiting to be tried out in the restaurant. First, organizations need to set up a distinct unit or department that deals with incident response and responsible disclosure. This can be done by creating a platform (website or email) where vulnerabilities can be reported to without the researcher being reported or arrested for breach.

2. Don’t rely on outdated Technologies: Most security breaches occur due to ignored technology (oversight) that’s in use or outdated technologies. For example, Deloitte was reportedly hacked. How did this happen? According to guardian, At the time of the hack, Deloitte did not have multi-factor authentication As a result of this, hackers could get into the system through the administrator’s account. Outside hacking can be malicious and the cost of such attacks is costlier when compared to data breaches through system glitches and human errors.

3. Reduce Delay in Response and Reporting: So, notice a data breach, or someone suggested there might be one. There should be no hesitation and such extraction of personal data by hackers should be addressed immediately without delay before it spreads across the entire customer base or get’s noticed by hackers willing to trade it on the dark web. As cyber-attacks become common, it is important for CEOs or CTOs of organizations to address the issue of cybersecurity diligently and create a protected environment.

What more can be done to keep organizations on their toes.

1. Heavy sanctions from the regulator should be a starting point. This would set up some real sense of responsibility infused into these organizations concerned. If there is a hack, and nothing is done to inform users or mitigate the damage. There should be a sanction for that.

2. There should be a Data Protection (DP) regulation a dedicated DP authority that specifically deals with these organizations.

Read more on what you can do as a user to protect yourself and your data.. https://shesecures.org/arik-air-hack/