Financial technology company, Flutterwave, has reported a significant security breach resulting in the unauthorized transfer of ₦11 billion ($7 million) to multiple bank accounts.
This incident follows closely on the heels of the company’s efforts to recover $24 million lost to unauthorized point-of-sale (POS) transactions, for which it secured a court order just a month prior.
“As is common in the financial services industry, there will always be attempts by bad actors to compromise the security of systems set up to protect and monitor services.” Flutterwave said to TechCabal.
Insiders with knowledge of the situation have indicated that the actual amount involved in the breach could be as high as ₦20 billion ($13.5 million). Flutterwave acknowledged the breach, emphasizing that attempts to compromise security systems are unfortunately common in the financial services industry.
The unauthorized activities were detected in April on one of Flutterwave’s platforms utilized by a limited customer base.
Flutterwave did not specify the exact amount involved but reassured that “no customer funds were lost or compromised, and the confidentiality of our customers’ data remains intact.”
Sources familiar with the incident revealed that the stolen funds were distributed across accounts in five financial institutions over a span of four days. Perpetrators likely circumvented detection by ensuring that deposits remained below thresholds triggering fraud checks.
Law enforcement agencies have been alerted, and investigations are underway, according to an anonymous source. Flutterwave has taken proactive measures, reaching out to financial institutions to acquire Know Your Customer (KYC) details of the affected accounts and temporarily restricting their access.
This breach appears to be more sophisticated than previous incidents, involving an organized network and a closed-loop approach to fund distribution, as observed by industry experts. It marks the fourth unauthorized transfer incident reported by Flutterwave in the past fourteen months.
The Central Bank’s mandate for customers to provide Bank Verification Numbers (BVN) or National Identification Numbers (NIN) for account opening by March 2024 may aid in identifying the account owners involved in the breach.
In February, Flutterwave obtained a court order known as a Mareva injunction, enabling the recovery of funds from identified account holders, even if the funds have been spent, utilizing KYC details provided by financial institutions.