MoMo Payment Service Bank, the new financial services subsidiary of telecoms company MTN Nigeria, suffered a breach in the last week of May just days after launch, reportedly losing 22 billion naira ($53 million.)
Nigerian payment service banks operate with a mobile money license reserved for non-bank institutions. They offer deposits and withdrawals, and cross-border remittances. They can issue debit cards, but not credit cards and a fourth of their operations must be in rural areas where most financially-excluded Nigerians live. But according to news reports this week, MoMo PSB lost $53 million following 700,000 unauthorized transfers to about 8,000 accounts in 18 Nigerian commercial banks.
In a statement (pdf), the company said it stopped the transfers after noticing them on May 25, leading to a temporary service suspension that was eased within 24 hours.
The statement did not mention the reported amount lost as a result of the transfers, but says the company has “worked with relevant stakeholders to reverse the vast majority of those wrong transactions, whilst through the legal processes we are working to reverse the remaining.”
“No customer funds were lost and all customer data is secure,” the statement by MoMo PSB’s CEO Usoro Usoro said.
News reports about the breach cited a court filing that shows MoMo PSB requesting each of the 18 banks to explain how much of the $53 million they received in their customers’ accounts. While conceding that some customers of those banks may have already withdrawn proceeds of the breach, MoMo PSB wants the banks to return whatever remains of the transfers.
MoMo PSB, according to the reported court filing, said the money was withdrawn from a settlement account it maintains with First Bank, Nigeria’s oldest bank and one of the country’s top five by assets. First Bank is one of the 18 being sued by MoMo PSB.
With its lawsuit, MoMo PSB has put the banks on the hot seat to remedy fraud carried out by yet to be identified hackers. But the episode suggests the new bank was vulnerable from the beginning, raising questions about how well MTN prepared for the rollout.
A senior staff member at one of the 18 banks briefed on the breach told Quartz that the scale of the hack was broader than MoMo has indicated. The initial loss from the error was N36 billion ($86 million) but some banks returned N14 billion within days, and the hack involved more than the 8,000 accounts mentioned, the person said. MTN did not respond to Quartz’s questions about this. MoMo PSB could not be reached for comment.
If true, it represents a stunning baptism by fire for the new company into Nigerian banking where cyber attacks and fraud have increased over the past two years. Banks almost never officially disclose or admit the hacks, but data show it happens: between July and September 2020 alone, Nigerian banks lost N3.5 billion (~$9 million) to fraud, over 534% more than the same period in 2019. Such activities are either done by insiders, former staff, or external hackers.
That a breach would cause MoMo PSB to lose, in days, six times what all Nigerian banks lost in three months is staggering. It is not clear how it happened. The company’s statement curiously described news reports about it as concerning “customer-initiated transfers.” The magnitude of the breach will be a warning to other payment service banks, particularly Smartcash, Airtel’s own PSB in Nigeria approved by the Central Bank of Nigeria together with MoMo PSB, which launches later this week.