The National Social Security Fund (NSSF) has denied claims that its systems were hacked. The social scheme firmly assured Kenyans that no compromise or breach of its database was made, insisting that its core system and financial transactions are secure.
In a statement late last night, NSSF said, “We wish to assure our members that the core system, which stores member data and financial transactions, remains secure and safe.”
On May 19, an X account titled Devman had posted claims it had stolen a massive amount of data – 2.5 terabytes – from NSSF Kenya. Devman claimed to have modified NSSF’s Group Policy Object update (GPO update).
If true, this could allow the malicious actor to push malicious software, change security settings, or create backdoors across the fund’s domain. On a Windows network, Group Policy manages user and computer settings.
The hacker also claimed to have gained access via LDAP, a protocol used for accessing and maintaining distributed directory information services in Windows.
On X, part of the post read, “NSSF Kenya – 2.5 TB (of data stolen), plus GPO update and spread via LDAP and available share scan. I really thank the admin of @NSSF_ke for allowing me to have RDP on the network.”
However, NSSF denies that any data was extracted in the intrusion attempt.
“Based on the findings of our ongoing investigations, there is no evidence that any personal or financial member data has been compromised or extracted.”
Read: Australia Bans Kaspersky Software on Government Systems Over Security Risks
Devman also took a dig at Kaspersky, thanking them for the easy access, writing, “Special thanks to @Kaspersky team for not noticing mimitaktz and my movement in general.”
As a mandatory national scheme, the fund stores data for millions of Kenyans, and any breach will expose sensitive private data.
