Executive Summary.

The year 2019 has just began and information security is among the top agenda in most of the organization ensuring that their digital assets are secure from compromise and breaches. Looking at the just ended year 2018, we saw most big companies were compromised and were not left out by the hackers recalling Cambridge Analytica and the Uber data Breach.

The government also played their part by enacting the legislative laws on cybersecurity that ensures confidentiality, Integrity and Availability of information. Examples include the GDPR enacted by the European Union and the Computer and Cybercrimes Bill in Kenya.

Data Breaches.

Data breach exposes the user’s credentials to the hackers, such as emails, credit card numbers, phone numbers and other confidential information. We look at some of the data breaches that occurred in 2018.

Equifax Data Breach.

The Equifax Cyberattack exposed information belonging to 146 million people around the world and mostly from US. The hackers were able to access Social security numbers, birth dates and addresses during the incident. They achieved this when they exploited a “website application vulnerability”

Uber Data Breach

Uber data breach was also one of the cyberattack that hit the headlines last year. According to Bloomberg news agency, the hackers stole the personal information of about 57 million Customers and drivers which included names, email addresses and mobile phone numbers. The hackers were able to achieve this when they accessed the data on the third party cloud based service that Uber uses.

Cambridge Analytica

Cambridge Analytica is a political consulting firm that did work during the US election in support of Trump and it harvested raw data of 50 million Facebook users. The harvested data was used to build a powerful software program to predict and influence choices at the ballot box.

SACCOs Fraud

In kenya, suspects of electronic fraud targeting the IT system of several Kenyan Saccos, including Safaricom Sacco, Bamburi Sacco and Stima Sacco were held for fraudulently getting Kshs 70Million. The suspects were majorly the staff and the interns (Insider Threats).

In the report released last year by Serianu showed that Kenya lost 21Billion to cybersecurity in the year 2017.



The government and the various regulators such as European Union passed and enacted laws that would govern how organizations will handle their customer’s Personal identifiable information (PII).

Computers and Cybercrime bill 2018

This bill was assented by the president of Kenya, The law was meant to curb the cybercrimes and computer related offences. Here is the summary:


The EU General Data Protection Regulation (GDPR)

In May 25th 2018 the GDPR was enforced and the organizations that were not compliant were heavily fined.

The GDPR was designed to

  • Harmonize data privacy laws across Europe,
  • Protect and empower all EU citizens data privacy
  • Reshape the way organizations across the region approach data privacy.

It was also meant to reshape the way in which data is handled across every     sector inclusive of banking and healthcare sectors.


The complexity of information security infrastructure continues to be dynamic and organizations needs to keep abreast with the new risk that accompanies the technology advancement in various sectors of the economy.

Since cyberattacks is not a matter of IF but it’s a matter of WHEN, organizations needs to:

  1. Ensure continuous training to its staff on matters of Cybersecurity. For instance how to identify a phishing email.
  2. Carry out regular system audit and penetration testing for their system to check for vulnerabilities
  3. Maintain cyber hygiene in their organizations, ensure policies are realistic and are being adhered to.
  4. Patch the system and be up to date.