HTTP logins exposed PII

A login page is only secure if the connection is encrypted. In the ZPos case, security posts and court filings said some installations sent usernames and passwords over plain Hypertext Transfer Protocol, or HTTP, where web servers can record the full request in logs. (gimmir.com) Server logs are the running diary a website keeps for troubleshooting and traffic records. If a login form uses HTTP instead of Hypertext Transfer Protocol Secure, or HTTPS, those logs can capture email addresses, passwords, Internet Protocol addresses, and other personal details in readable text. (gimmir.com) That turns an ordinary access log into a store of personal data. Under the United Kingdom Information Commissioner’s Office guidance, people can ask for a copy of their personal data through a subject access request, and organizations are expected to search for it and respond within one month. (ico.org.uk) The complaint described in the coverage did not stop at exposed credentials. It also raised failures around subject access requests, which matter because a company that cannot find data in its own logs may struggle to tell users what was collected, where it went, and whether it was deleted. (ico.org.uk) Nigeria now has its own national privacy regime. The Nigeria Data Protection Commission says the Nigeria Data Protection Act 2023 gives data subjects rights to access, rectification, objection, portability, and complaints to the regulator. (ndpc.gov.ng) The same law also puts security duties on companies that decide how data is processed. The Act’s text says controllers must protect confidentiality and notify the Commission within 72 hours after becoming aware of a breach that is likely to risk people’s rights and freedoms. (ndpc.gov.ng) Licensing is a separate issue from privacy, but the two meet in payments. The Central Bank of Nigeria runs a licensing portal for financial institutions, and Nigerian legal guides on fintech regulation say payment, switching, and wallet products can require specific approvals rather than a general “startup” status. (larp.cbn.gov.ng; firstfiduciary.ng) Know your customer checks are another layer. In payments, those checks are the identity rules meant to stop fraud and money laundering, so warnings that a fintech is operating without full licensing or weak customer verification point to both regulatory risk and a larger attack surface if credentials or account data are mishandled. (firstfiduciary.ng; ndpc.gov.ng) The technical fix is not exotic. Security guidance on log hygiene says companies should enforce HTTPS, stop sending secrets in web addresses or request bodies that get logged, minimize what logs retain, and mask or remove personal data before it reaches long-term storage. (gimmir.com; sematext.com) The thread running through the ZPos reporting is simple: a login box, a server log, and a regulator can end up in the same story. Once credentials and personal data land in plain text, the problem is no longer just a coding mistake; it becomes a records, compliance, and breach-response problem too. (gimmir.com; ico.org.uk; ndpc.gov.ng)