LONDON — It was just before Thanksgiving when Karl Lowe, chief information officer at Catholic Relief Services, got word of bad news. The RedRose system it uses for digital payments in West Africa had been hacked, exposing personal, geographic, and photographic data about its beneficiaries.
The vulnerability began with a password. “If you look at any breach, that is the easiest way to get into someone’s system,” said Lowe. Mautinoa Technologies, a company working on similar projects to RedRose, had been investigating its competition when a staff member stumbled across an old password and user ID for one of the CRS systems, enabling them to gain access. The fault “was squarely on our shoulders,” Lowe acknowledged. Mautinoa said it also revealed systematic weaknesses in RedRose’s security, which both RedRose and CRS deny.
Fortunately, the data was not made public, but it still required a swift response to close the security gap.