Niël Terblanché
The absence of a robust Data Protection Act and more stringent regulatory oversight by Namibia’s Communications Regulatory Authority of Namibia (CRAN) is partly to blame for the massive cyber terrorist attack on the country’s key telecommunications provider and other government institutions almost three weeks ago.
Paul Rowley of My Digital Bridge Foundation, whose mission is to enrich the lives of marginalized communities through equitable access to technology, said a comprehensive data protection act in Namibia could have significantly reduced the damage caused by the attack.
He explained that the Act could have established clear guidelines and obligations for data controllers and processors.
“Robust policies would mandate stringent security measures for protecting personal data, reducing the risk of breaches. Legislation would also hold organisations accountable for data breaches, imposing fines and penalties, which could incentivise better data protection practices,” he said.
According to Rowley, such an Act would also provide consumers with the right to be informed about data breaches and to seek redress, ensuring transparency and accountability.
“The act could establish a supervisory authority to oversee data protection practices and enforce compliance, which would ensure that organisations adhere to the required standards. Further, the regulator’s role, the Communications Regulatory Authority of Namibia (CRAN) has also to be considered. It has already faced criticism for its handling of consumer protection, particularly in outsourcing SIM registration to Mobile Network Operators (MNOs),” he said.
He attributed the lack of oversight to CRAN, which then outsourced the registration process to SIM.
He said that CRAN reduced its direct oversight over the process, potentially leading to lapses in data protection.
“The collection of biometric data without comprehensive data protection laws raised significant privacy issues, as there are no robust safeguards to prevent misuse. The extension of the SIM registration deadline suggested challenges in enforcing the regulations effectively, which further undermined consumer trust,” said.
Overall, Rowley said a robust Data Protection Act and more stringent regulatory oversight would have mitigated the impact of the cyber breach and better protected consumer data.
While the full extent of the fallout of the data breach is still being assessed, Telecom Namibia’s chief executive officer, Stanley Shanapinda, said that the state-owned enterprise refused to negotiate with cyber terrorists.
“Namibia does not negotiate with terrorists. We did not engage with their demands, as doing so would set a dangerous precedent,” he stressed.
Shanapinda in an interview with DesertFM on Monday acknowledged that the cyber terrorists demanded a ransom from Telecom and threatened to release it to the dark web if payment was not made by 11 December.
He acknowledged that when the ransom was not paid, the personal data of more than 493 000 Telecom clients was released to the world on various platforms available on the Internet.
The breach is believed to have originated from vulnerabilities in remote connections used by employees accessing the system from external locations.
According to Shanapinda, hackers could have exploited unprotected personal devices, allowing viruses to compromise Telecom’s internal systems.
“Once we detected the breach, all remote access to our system was immediately severed,” he said.
He added that employees are now required to be physically present at their workstations to access the system.
According to Shanapinda Telecom Namibia has implemented security upgrades, including password changes for all employees and the introduction of multi-factor authentication to enhance identity verification.
“We are strengthening our security posture to ensure incidents like this do not occur again. This includes employing external cybersecurity experts to assess vulnerabilities and monitor unusual traffic patterns,” he said.
Modestus Amutse, the deputy minister of information and communication technology, in a separate interview, said that the Office of the Prime Minister and other government institutions are working with local and international partners to retrieve data lost from computer systems that have been compromised by the hackers.
He said that it is difficult to block hackers because they use advanced technology and have a lot of resources.
According to Amutse, besides recovering stolen data, all government institutions are working to prevent further attacks.
He urged the public to remain calm while the government investigates the extent of the terrorist attack on the country’s government computer systems.
The deputy minister acknowledged that the hackers also breached other Namibian institutions but that security measures already installed successfully stopped some of these attacks.
