Unwanted Witness & Anor vs. Uganda Securities Exchange

Authority:	Personal Data Protection Office
Jurisdiction:	Uganda
Relevant law:	Data Protection & Privacy Act, 2019
Type:	Breach
Outcome:	Violation
Started:	18 June, 2022
Decided:	June, 2023
Published:	June, 2023
Fine:	N/A
Parties:	Unwanted Witness vs. Uganda Securities Exchange & Soft Edge Uganda Limited
Case No./Parties:	PDPO-202205-0325
Appeal:	N/A
Original Source:	PDPO
Original contributor:	Isaac Vincent

Summary
1. Facts
2. Holding
Comment
Further resources
Decision

Summary

The PDPO held the Uganda Securities Exchange (the “Respondent”), its Processor and Responsible Representatives accountable for a security breach resulting from the unauthorized disclosure of personal data by a third party.

Facts

The Respondent circulated a rebuttal of a report in a local daily which alleged that its servers were breached by a threat actor thereby exposing the personal data of an unknown number of market participants which drew the attention of the regulator. A complaint over the same alleged breached was also lodged against the Respondent by Unwanted Witness, an NGO and an unnamed individual.

The PDPO undertook investigations over the alleged breached and confirmed that indeed the Respondent had suffered a data breach. The breach occurred when Soft Edge Uganda Limited's (the “Processor”), servers were breached and personal data accessed. The Processor's servers exhibited a vulnerability created due to an incorrectly configured firewall on the audit log in server created to track all actions during an upgrade of the Know Your Customer (KYC) system, which was exploited by the hackers.

It was also noted that the Processor failed/neglected to follow the Respondents change management protocals as set out in the Respondent’s policies and Data Sharing Agreement signed between the parties which led to the breach persisting for 12 days after the event. The Processor was also not registered with the PDPO as required by law and the data sharing agreement between the parties was inadequate as it did not fully comply with the requirements of the DP&PA, 2019.

Holding

The PDPO held as follows:

The Respondent and Processor were negligent in the handling of personal data, incident management and change management which compromised their control environment.
The Respondent, its Processor and Concerned Officials/Representatives to be prosecuted for the negligent handling of personal data in its possession.

Comment

The Ugandan law lacks monetary fines and the case highlights the enforcement risks (personal liability), for non-compliance.

Further resources

https://www.theeastafrican.co.ke/tea/business/uganda-data-miners-to-comply-with-privacy-law-4355728

Contents

Summary

Facts

Holding

Comment

Further resources