A major hack that compromised Uganda’s mobile money network has plunged the country’s telecoms and banking sectors into crisis.
The Oct. 3 hack was a result of a security breach on a consumer finance aggregator, Pegasus Technologies, which mainly affected bank to mobile wallet transfers, according to an Oct. 8 statement by MTN Uganda, the country’s largest mobile phone company. Kampala-based Pegasus Technologies provides financial and billing solutions for various companies including all the affected entities.
At least $3.2 million is estimated to have been stolen in this latest incident with some reports quoting a much higher figure. The hackers used around 2,000 mobile SIM cards to gain access to the mobile money payment system, according to local papers. They then instructed the banks to transfer millions of dollars to telecommunication companies who then paid out mobile money to these different SIM cards across the country.
MTN Uganda and Airtel Uganda, suspended mobile money service transactions between their networks, indefinitely, following what they termed as an “unprecedented technical challenges” in a joint statement signed by their respective chief executive officers. The services are yet to be restored.
More than $20 billion worth of transactions was channeled through the mobile money system in 2019, according to Bank of Uganda, the country’s central bank. MTN alone has over 11 million subscribers and an 80% market share of mobile money transactions in the East African country.
According to MTN Uganda, only transactions via Stanbic Bank Uganda, MTN to Airtel and Sendwave, a cross-border payments service operating in six African countries including Kenya, Uganda, Tanzania, Ghana, Nigeria, Senegal, and Liberia are affected.
On Oct. 6, MTN Uganda upgraded its system according to a statement issued to customers. During the period, data, voice and mobile money services were interrupted. All the affected telecoms and banks have assured customers that their account balances and other information was not affected in the breach.
Stanbic Bank Uganda, the largest commercial bank in the country by assets, and Bank of Africa Uganda have suspended transactions between the banks and the mobile phone companies.
At least two suspects have been arrested by the police according to various sources. The two are linked to Pegasus Technologies. The company is yet to make any comment about the incident. Police have allowed the affected companies to carry out an audit of their accounts, which will inform the investigation of what actually happened and how much money was stolen.
A breach of the fast-growing mobile money system will be a blow to efforts to drive up financial inclusion in Uganda and other countries in the region. A majority of Ugandans have no formal bank account and rely on mobile money for its convenience. In some rural areas it is the only feasible option. Mobile money payments are used in agriculture, energy, health and education, among other sectors.
The Uganda Police Annual Crime and Road Safety Report of 2019 showed more than 41 billion Ugandan Shillings ($11m) was lost to criminals through cyber crimes including swapping SIM cards and hacking digital financial accounts last year.
Sign up to the Quartz Africa Weekly Brief here for news and analysis on African business, tech, and innovation in your inbox