A serious hack that jeopardised Uganda’s mobile money network has caused a catastrophe in the country’s telecom and banking sectors.
Reports from MTN Uganda, the nation’s largest mobile phone company shows that the hack which occurred on the 3rd of October came as a result of a security breach on Pegasus Technologies, a consumer finance aggregator. The hack primarily affected bank to mobile wallet transfers. Pegasus Technologies delivers financial and billing solutions for numerous corporations including those who were victims of the hack.
It is estimated that a minimum of $3.2 million was stolen in the odious event with some reports stating a much higher figure has been stolen. Local papers opine that the cybercriminals utilised about 2,000 mobile Sim Cards to access the mobile money payment platform. Having gained access to the system, they were able to authorise banks to transfer millions of dollars to telecommunication companies who in turn paid mobile money into the numerous Sim cards scattered across the country.
In the wake of the hack, MTN Uganda and Airtel Uganda discontinued mobile money service transactions between their networks for the foreseeable future. This has been done in a bid to deal with what the network providers referred to as “unprecedented challenges” in a joint statement signed by the executive officers of both firms. They are yet to recommence the discontinued services.
According to the bank of Uganda, the nation’s central bank, over $20 billion in transactions was carried out through the mobile money platform in 2019. MTN can boast of more than 11 million subscribers and about 80% market share of the mobile deals in Uganda.
MTN Uganda listed the transactions affected by the hack and they include all transactions carried out through; Stanbic Bank Uganda, MTN to Airtel, and Sendwave. Note that Sendwave is a cross-border payments service with a presence in six African countries including Kenya, Tanzania, Uganda, Ghana, Senegal, Liberia and Nigeria.
A statement issued to customers by MTN Uganda shows that the service provider upgraded its system on the 6th of October. Data, voice, and mobile money services were partially suspended at the time of the upgrade. All the banks and telecom companies affected by the hack have reassured customers that their account balances and personal data were not compromised in the breach.
Stanbic Bank Uganda, the largest commercial bank in Uganda by assets, and Bank of Africa Uganda have discontinued all deals with the banks and telecom companies.
Major Findings
Numerous sources suggest that a minimum of two suspects have been nabbed by the police in connection with the hack. These two are connected to Pegasus Technologies. So far, Pegasus Technologies have made no comments regarding the incident. Police authorised the affected companies to carry out an audit of their accounts a move that they hope will provide a clear picture of the criminal activities and reveal the actual amount that was lost.
A compromise in the fast-growing mobile money system will dampen all efforts to improve financial inclusion in Uganda and other East African countries. A greater part of the Ugandan population do not own bank accounts and rely heavily on mobile money to carry out their financial activities. It is the only practical solution in some rural areas. Mobile money payments are utilised in sectors like agriculture, energy, health, education,and others.
In the last year alone, over 41 billion Ugandan Shillings ($11m) was lost to cybercriminals through such cybercrimes such as Sim swaps and hacks of digital financial accounts according to the Uganda Police Annual Crime and Road Safety report of 2019.