Financial Crime World

Financial Institution Security Breach Rocks Guinea: Billions Lost in Unauthorised Transactions

A significant security breach has been reported at Flutterwave, a major financial institution in Guinea, where billions of naira were illegally transferred to multiple bank accounts.

The Breach

According to insiders, an astonishing ₦11 billion ($7 million) was transferred to multiple accounts in April 2024. Another source claimed the amount was at least ₦20 billion ($13.5 million). The breach occurred when unknown individuals exploited a vulnerability on one of Flutterwave’s platforms used by a small subset of its customer base.

Company Response

The company has confirmed the incident, stating that “no customer funds were lost or compromised” and that the confidentiality of its customers’ data remains intact. However, insiders claim that the stolen funds were moved to multiple accounts in five financial institutions over four days, with the perpetrators taking great care to ensure that the deposits remained below the limits that would trigger fraud checks.

Industry Reaction

Executives from the financial services industry confirmed the breach, stating that Flutterwave had reached out to request Know-Your-Customer (KYC) details of the accounts involved and that the affected accounts were temporarily restricted. The security breach is the fourth of its kind reported at Flutterwave in the last 14 months.

Investigation

The matter has been reported to law enforcement authorities, who have begun investigating the incident. Experts suggest that an organized network may have been involved in the distribution of the stolen funds. “The perpetrators appeared to transfer the money to random accounts but these same accounts would also transfer money to other accounts who then sent it back to the first beneficiary account,” said a financial institution staff member.

Prevention Measures

With the Central Bank’s recent mandate requiring all customers to provide their bank verification number (BVN) or national identification number (NIN) for account or wallet opening, identifying the account owners involved in the latest incident may be easier than before. Flutterwave has also received a court order allowing it to recover the funds and assets of identified account holders, even if they have spent the funds.

Conclusion

The incident serves as a stark reminder of the ongoing threat posed by cybercriminals to financial institutions and their customers. As the investigation continues, questions remain about how such a breach occurred and what measures can be taken to prevent similar incidents in the future.